What Is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It's the de facto standard for authentication in modern web apps and APIs (defined in RFC 7519).
A JWT consists of three Base64url-encoded parts separated by dots:header.payload.signature
JWT Structure
Header
Contains the token type (always "JWT") and the signing algorithm (e.g., HS256, RS256, ES256). This tells the verifier how to check the signature.
Payload
Contains the claims — statements about the user and metadata. Claims can be registered (standard), public, or private (custom).
Signature
Created by signing the encoded header + payload with a secret (HMAC) or private key (RSA/ECDSA). The signature ensures the token hasn't been tampered with.
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Who created and signed the token (e.g., your auth server URL) |
sub | Subject | The user or entity the token is about (usually a user ID) |
aud | Audience | Intended recipient of the token (e.g., your API domain) |
exp | Expiration | Unix timestamp after which the token is invalid |
nbf | Not Before | Unix timestamp before which the token is not valid |
iat | Issued At | Unix timestamp when the token was created |
jti | JWT ID | Unique identifier to prevent token replay attacks |
Security Best Practices
- Never store sensitive data in the payload — JWTs are encoded, not encrypted. Anyone can decode the payload.
- Always verify the signature server-side — decoding is not verification. This tool decodes but cannot verify signatures.
- Use short expiration times — 15 minutes for access tokens is a common practice. Use refresh tokens for long sessions.
- Use HTTPS only — transmitting JWTs over HTTP exposes them to interception.
- Prefer RS256 over HS256— asymmetric algorithms don't require sharing the signing key with verifiers.
FAQ
Is it safe to paste my JWT here?
Yes. This tool runs entirely in your browser — the token is never sent to any server. You can verify this in your browser's network tab. That said, if a token is for a production system, it's best practice to use expired tokens for testing.
Can this tool verify JWT signatures?
No. Signature verification requires the signing secret (for HMAC) or public key (for RSA/ECDSA). This tool only decodes and displays the token contents. For verification, use your backend's JWT library.
Why does my JWT say "Expired"?
The exp claim is a Unix timestamp. If the current time is past that timestamp, the token is expired. This is normal — access tokens are designed to expire quickly for security. Get a new token from your auth server.
What's the difference between JWS and JWE?
JWS (JSON Web Signature) is what most people mean by "JWT" — it's signed but readable. JWE (JSON Web Encryption) is encrypted — the payload is not readable without the decryption key. This tool handles JWS tokens only.