⚡ Free Online Tool

JWT Decoder – Free Online JSON Web Token Decoder

Paste a JWT and instantly see the header, payload and expiry details. Runs entirely in your browser. Nothing is uploaded or stored anywhere.

JWT Token

Frequently Asked Questions

What is a JWT Token?

A JWT or JSON Web Token is a compact string made up of three parts joined by dots. The header describes the signing algorithm. The payload holds the claims, which is the actual data being transmitted. The third part is the signature, which a server uses to confirm the token has not been altered. Both the header and payload are Base64 encoded, which means anyone can read them with a jwt decoder without needing a key. Decoding is always possible but verifying the signature requires the original secret. JWTs are the standard mechanism for stateless authentication in REST APIs and web applications because they carry all the information a server needs without a database lookup.

How JWT Authentication Works

When a user logs in, the server verifies their credentials and issues a signed JWT. The client stores this token, usually in memory or local storage, and sends it with every subsequent request in the Authorization header as a Bearer token. Because the server does not need to query session state from a database, this pattern is called stateless authentication. Any server that knows the signing key can validate requests independently, which makes JWT a natural fit for microservices where requests may be handled by different instances on each call. The tradeoff is that tokens cannot be invalidated server side before they expire, which is why short expiry times matter.

Understanding JWT Claims

Claims are the key-value pairs stored in the JWT payload. The specification defines a set of registered claims: sub identifies the subject, which is usually a user ID; iss names the issuer of the token; exp sets the expiry timestamp; iat records when the token was issued; and nbf sets the earliest time the token becomes valid. Public claims are shared in the IANA registry to avoid naming collisions across different systems. Private claims are custom fields agreed on between the parties. Real world examples include Kubernetes service account tokens, which use sub for pod identity, and OAuth2 access tokens, which commonly carry scope and aud claims to restrict what the token can access.

JWT Security Best Practices

Always verify the JWT signature server side before trusting any claim in the payload. Never rely on the payload contents alone. Use short expiry times so that stolen tokens become useless quickly. Keep in mind that the payload is only Base64 encoded and not encrypted, so anyone holding the token can read its contents. Never store passwords, credit card numbers, or other sensitive data in the payload. Always serve your application over HTTPS to prevent tokens being intercepted in transit. Rotate your signing keys on a regular schedule and revoke active tokens immediately when a breach is suspected.

If you work with JSON data try our JSON to YAML converter to move configs between formats instantly. Need to set file permissions on your server? Use our chmod calculator to calculate the right octal value for any permission set.