ModernCalcs

JWT Professional Suite

Safely decode and encode JSON Web Tokens locally. Complete with HS256 signing and signature verification.

Encoded Token

Verify Secret (HS256):

Header

Token header will appear here...

Payload

Token payload will appear here...

Claim Details

Paste a token to see details.

Secure JWT Hub

This tool provides a full suite for working with JSON Web Tokens. Whether you need to inspect a token's payload or generate a new one for testing, everything happens entirely on your device.

JWT Decoder: Inspecting the Internals of Your Auth Tokens

JSON Web Tokens (JWT) are the heart of modern web security and single sign-on (SSO) systems. They allow servers to trust the identity of a user without needing a centralized session database. However, when things go wrong—like a user being logged out unexpectedly—you need to look inside the token. Our JWT Decoder allows you to inspect the header and payload of any token instantly.

Formula
Token = Header.Payload.Signature

Each part is Base64URL encoded. The payload contains user data and 'claims'.

The Three Parts of a JWT

1) Header: Contains metadata about the token, such as the algorithm used for signing (e.g., HS256 or RS256). 2) Payload: The 'Meat' of the token. It contains the claims—data like user ID, username, and permissions. 3) Signature: A cryptographic hash of the first two parts, ensuring that the payload hasn't been altered by an attacker.

Common JWT Claims (exp, iat, sub)

Standard JWTs use reserved claim names to provide interoperability. 'exp' (Expiration) tells the server when to stop trusting the token. 'iat' (Issued At) tracks when the token was created. 'sub' (Subject) is usually the unique identifier for the user. Our tool highlights these claims and converts Unix timestamps into human-readable dates for easy debugging.

Debugging Authentication Issues

If your frontend application isn't showing the user as logged in, the first step is to decode the JWT. Check if the Roles/Scopes are correct. Does the token contain 'admin:true'? Is the 'aud' (Audience) claim set to the correct client ID? Many bugs in modern auth flows are caused by simple misconfigurations in the token payload that our inspector makes easy to spot.

Security: Why Decoding is Safe but Verification is Key

It is important to remember that Decoding is not Verifying. Our tool shows you what is inside, but it doesn't prove the token is legitimate. A hacker could easily create a fake JWT with 'admin:true'. The only way to trust a token is by verifying the signature on your backend server using a secret key. Our tool is for debugging the *content* of tokens you already know you are working with.

Practical Examples

Inspecting a User Token

Checking the roles and expiration.

  • 1.Input: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
  • 2.Action: Paste and Decode.
  • 3.Payload: { 'user_id': 101, 'role': 'editor', 'exp': 1718544000 }
  • 4.Insight: The token is valid and identifies the user as an editor.

Finding an Expired Token

Why is the user being logged out?

  • 1.Input: Paste the token from LocalStorage.
  • 2.Result: 'exp' claim is flagged as 'Past' or 'Expired'.
  • 3.Fix: Refresh the token using the refresh_token endpoint.

Standard Reserved Claims

  • iss (Issuer): The entity that issued the token.
  • sub (Subject): The user the token refers to.
  • aud (Audience): The intended recipient of the token.
  • exp (Expiration): When the token becomes invalid.
  • nbf (Not Before): When the token starts being valid.
  • iat (Issued At): When the token was created.

JWT Best Practices

  • Don't Store Secrets: Never put passwords or private data in a JWT.
  • Keep it Compact: Don't overload the payload with too much data.
  • Use RS256: Public/Private key signing is more secure than shared secrets (HS256).
  • Short Lifetimes: Set short expiration times and use refresh tokens for security.
  • HTTPS: Always transmit JWTs over encrypted connections to prevent sniffing.

Frequently Asked Questions

What is a JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

How to decode a JWT?

A JWT consists of three parts separated by dots: Header, Payload, and Signature. Each part is Base64URL encoded. Our tool decodes these sections to reveal the underlying JSON.

Is decoding a JWT the same as verifying it?

No. Decoding just reveals the information inside. Verification requires checking the signature against a secret key or public certificate to ensure the token hasn't been tampered with.

What is the 'exp' claim in a JWT?

The 'exp' (Expiration Time) claim identifies the time on or after which the JWT must not be accepted for processing. It is usually a Unix timestamp.

Why is my JWT not working?

Common reasons include: the token has expired (exp), the 'iat' (issued at) time is in the future, or the signature verification failed on the server.

Are JWTs encrypted?

Standard JWTs are typically 'signed' but NOT encrypted. This means the data is readable by anyone who has the token. For sensitive data, use JWE (JSON Web Encryption).

What are 'claims' in a JWT?

Claims are pieces of information asserted about a subject (like a user's ID, name, or admin status) within the payload.

How to handle JWTs in a browser?

They are often stored in LocalStorage or an HttpOnly cookie. For security, HttpOnly cookies are preferred to prevent XSS attacks from stealing the token.

Is it safe to use this online decoder?

Yes. Our tool is strictly client-side. Your token is never sent to our server; the decoding happens entirely in your browser's JavaScript engine.

What does 'Base64URL' mean?

It's a variant of Base64 encoding that is safe for URLs (replacing '+' with '-' and '/' with '_').

Related Tools

View all developer tools

JSON Formatter

Clean and validate JSON data.

Base64 Tool

Encode or decode Base64 data.

SQL Formatter

Beautify your SQL queries.

Regex Tester

Test regular expressions online.