JWT (JSON Web Token) is a compact token format used to transmit claims between a client and a server. It’s commonly used as a Bearer token for authentication and authorization.

Is this JWT decoder safe?

This decoder runs locally in your browser and does not send the token to a server. Still, avoid pasting real production tokens into any public tools.

What’s the difference between decode and verify?

Decode means reading the header/payload (base64url). Verify means validating the signature and trust rules (keys, algorithm, issuer, audience).

Why can JWT be read even when it’s signed?

Header and payload are typically base64url-encoded. That’s encoding, not encryption: the signature protects integrity, but does not hide the contents.

What are claims in a JWT?

Claims are fields in the payload (e.g., sub, roles, scope, exp, iss, aud). You can only trust them after server-side verification (signature and validation rules).

Which JWT fields are most useful in security testing?

Common checks include exp/iat/nbf (time), iss/aud (issuer/audience binding), roles/scope/permissions (privileges), and avoiding sensitive/PII data in the payload.

What does alg mean in the JWT header and why is it important?

alg is the signature algorithm (e.g., HS256/RS256/ES256). Incorrect alg handling on the server can lead to critical token validation vulnerabilities.

JWT Decoder: decode a token online

What this JWT decoder does

JWT (JSON Web Token) is a token format used for API authentication and authorization. This decoder reads the header and payload in your browser so you can quickly inspect claims like exp, iss, aud, roles/scopes — without sending the token anywhere.

Where JWT is used

JWT is commonly used in APIs as a Bearer token (the Authorization header), and sometimes in cookie-based sessions. In real products it governs access to profiles, orders, payments, and admin operations — which directly impacts security and authorization.

What to check in a token

Time: exp/iat/nbf — token lifetime and correct timestamps.
Context: iss/aud — ensure tokens from another environment/app are not accepted.
Privileges: roles/scope/permissions — excessive privileges, and whether the server ever trusts decoded data without verification.
Data minimization: avoid PII/sensitive data in the payload (JWT is readable).

More: JWT structure, checklist, examples

JWT structure

Format: header.payload.signature. Header/payload are usually base64url-encoded (not encrypted); the signature is validated on the server.

Header: token type and signature algorithm (alg).
Payload: claims (e.g., sub, roles, scope, exp, iss, aud).
Signature: signature (this tool does not verify it).

Decode vs verify

Decode is “read the payload”. Verify is validate the signature and rules (alg, iss, aud, time). Vulnerabilities often happen when a system trusts decode output instead of verify results.

Payload checklist

exp/iat/nbf: lifetime and constraints.
iss/aud: issuer and audience.
roles/scope: privileges.
PII: avoid personal data in the payload.

JWT decoder