JWT Decoder

Decode and inspect JWT headers and payloads. Check expiration status instantly. No data leaves your browser.

JWT Token

What Are JSON Web Tokens?

JSON Web Tokens (JWT, pronounced “jot”) are compact, URL-safe tokens defined in RFC 7519 for securely transmitting information between parties. They are the dominant authentication mechanism for modern web applications, used by OAuth 2.0, OpenID Connect, and most API authentication systems.

JWT Structure

A JWT consists of three Base64url-encoded parts separated by dots:

Header — Contains the signing algorithm (HS256, RS256, ES256) and token type (JWT).
Payload — Contains claims: sub (subject), exp (expiration), iat (issued at), iss (issuer), aud (audience), plus any custom claims.
Signature — Created by signing the header and payload with a secret key (HMAC) or private key (RSA/ECDSA). Used for tamper detection.

Common JWT Debugging Scenarios

401 Unauthorized errors — Check the exp claim to see if the token has expired.
Permission denied — Inspect custom claims like role, scope, or permissions.
Wrong user context — Verify the sub and email claims match expectations.
Token not accepted — Check iss and aud claims match your server configuration.

JWT vs Session Cookies

JWTs are stateless (no server-side storage needed), work across domains, and scale well in microservice architectures. However, they cannot be revoked individually and increase request size. Session cookies are server-managed, easily revocable, and smaller in size, but require shared session storage for horizontal scaling. Many production systems use a hybrid approach: short-lived JWTs (15 min) with refresh tokens stored server-side.

JWT Best Practices for Production

When implementing JWT authentication in production, follow these security best practices. Keep tokens short-lived: access tokens should expire in 15–30 minutes; use refresh tokens (stored server-side) for session continuity. Use asymmetric algorithms (RS256/ES256) instead of HS256 for microservices, so each service can verify tokens with a public key without sharing the signing secret. Validate all standard claims: always check exp (expiration), iss (issuer), aud (audience), and iat (issued-at). Never store JWTs in localStorage — they are vulnerable to XSS attacks; prefer HttpOnly cookies with SameSite=Strict and Secure flags. Include a jti claim (JWT ID) for token revocation via a server-side blocklist when immediate logout is required.

Common JWT Libraries by Language

Node.js: jsonwebtoken (the most popular) and jose (standards-compliant, supports JWE encryption). Python: PyJWT for simple use cases, python-jose for full JOSE support. Go: golang-jwt/jwt (formerly dgrijalva/jwt-go). Java: io.jsonwebtoken:jjwt (JJWT) or com.auth0:java-jwt. Rust: jsonwebtoken crate. When choosing a library, ensure it supports algorithm whitelisting to prevent the alg=none attack, where an attacker changes the algorithm to bypass signature verification entirely.

Security Disclaimer: This tool only decodes JWT structure. It does not verify signatures and cannot confirm token authenticity. Never trust JWT claims without server-side signature verification using your secret key or public key. Do not paste production tokens containing sensitive data into any online tool.