About the JWT Decoder & Inspector
The JWT Decoder splits a pasted JSON Web Token (RFC 7519) into its three Base64URL-encoded segments — header (algorithm + type), payload (claims), and signature — with plain-English labels for the standard claims (iss, sub, aud, exp, nbf, iat, jti), Unix-timestamp-to-date conversion, an at-a-glance expiry indicator with countdown, and optional signature verification against a provided secret (HS256/384/512) or public key (RS / ES / PS256).
It is built for backend developers debugging an authentication flow that just stopped working (usually expired token), security engineers reverse-engineering a third-party API’s token format, integration developers verifying webhook signatures, OAuth flow implementers checking refresh-token claims, and anyone whose console.log(token) just produced a 600-character string they need to read.
All decoding and verification runs locally in JavaScript via the Web Crypto API. Tokens, payload contents, and secret keys never leave your device. The page makes no network call after first load. This is non-negotiable for any JWT tool — tokens carry user IDs, scopes, and frequently email addresses or other identifiers that should not appear in third-party logs.
Three things to remember: a JWT is encoded, not encrypted — anyone with the token can read the payload (use JWE if you need confidentiality). Never put passwords, full credit-card numbers, or API secrets in the payload; use the sub claim to reference a server-side record instead. Always whitelist acceptable signing algorithms in your verification code — the historical “alg: none” vulnerability still surfaces in misconfigured libraries. And short-lived access tokens paired with long-lived HttpOnly refresh tokens is the OAuth 2.0 pattern; don’t hand-roll session management on top of JWTs without that structure.
Paste a second JWT to see payload differences highlighted.
What Is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims and data), and the signature (verification that the token hasn’t been tampered with).
Standard JWT Claims
The JWT specification defines seven standard claims: iss (issuer),
sub (subject), aud (audience), exp (expiration),
nbf (not before), iat (issued at), and jti
(JWT ID). These are all optional but widely used for authentication and authorization
workflows.
HS256 vs RS256
HS256 uses a shared secret key for both signing and verification — both the issuer and verifier need the same key. RS256 uses an asymmetric key pair: a private key for signing and a public key for verification. RS256 is more secure for distributed systems because you never need to share the private key.
JWT Security Best Practices
Never store sensitive data in JWTs — they are encoded, not encrypted. Always
set reasonable expiration times (15 minutes for access tokens, days for refresh tokens).
Validate all claims on the server, especially exp, iss, and
aud. Use HTTPS to prevent token interception, and implement token refresh
rotation to limit the damage of stolen tokens.
JWT Expiration and Clock Skew
Three time-based claims govern a JWT’s validity window. The exp
(expiration) claim sets the timestamp after which the token must be rejected. The
iat (issued at) claim records when the token was created, which is useful
for auditing and detecting tokens that were issued unusually far in the past. The
nbf (not before) claim specifies the earliest time the token is valid,
allowing tokens to be issued ahead of time for scheduled access. Servers validating
these claims typically allow a small clock skew — usually 30 to 60 seconds —
to account for minor differences between server clocks in distributed systems. One often
overlooked risk is long-lived tokens: a refresh token valid for 90 days gives an attacker
a large window if the token is ever stolen, so pairing long expiration with token rotation
and revocation lists is strongly recommended.
Common JWT Vulnerabilities and How to Avoid Them
The alg: none attack is one of the most well-known JWT vulnerabilities: a
malicious actor crafts a token that sets the algorithm header to none,
effectively removing the signature requirement. Any library that blindly trusts the
algorithm value in the header will accept these unsigned tokens as valid. Always enforce
a strict allowlist of accepted algorithms on your server and never derive the verification
algorithm from the token itself. A subtler attack targets RS256 implementations: if a
server accepts both HS256 and RS256, an attacker can take the RS256 public key (which is
often publicly distributed), use it as an HS256 secret to sign a forged token, and trick
a misconfigured server into accepting it. Finally, remember that JWTs are only
Base64URL-encoded — not encrypted. Any claim in the payload is readable by anyone
who holds the token, so fields like passwords, credit card numbers, or other secrets must
never appear in a JWT without an additional encryption layer (JWE).
When investigating a JWT, the Base64 & Encoding Toolkit lets you manually decode individual token segments and experiment with encoding schemes. To verify HMAC signatures or check the integrity of API payloads outside of a full JWT flow, the Hash Generator provides SHA-256 and HMAC-SHA utilities that pair naturally with JWT inspection work.
Frequently Asked Questions
Is a JWT encrypted?
No. A standard JWT (RFC 7519) is Base64URL-encoded but not encrypted, so anyone with the token can read the payload. If you need confidentiality, use JWE (RFC 7516) which wraps a JWT in an encrypted envelope.
What is the difference between HS256 and RS256?
HS256 uses HMAC with a shared symmetric secret, so both parties need the same key to sign and verify. RS256 uses RSA asymmetric keys, so only the issuer has the private key while consumers verify with the public key. RS256 is preferred for distributed systems where you do not want to share secrets.
Why should I avoid putting sensitive data in a JWT?
Because the payload is readable by anyone who intercepts the token. Never place passwords, personal identifiers beyond a user ID, or API secrets in a JWT. Store those server-side and reference them via a minimal subject claim.
How do I safely refresh an expired JWT?
The common pattern is a short-lived access token paired with a longer-lived refresh token stored in an HttpOnly secure cookie. When exp passes, the client exchanges the refresh token for a new access token. This is described in OAuth 2.0 RFC 6749 section 6.
Is the alg: none vulnerability still a risk?
It can be if libraries are misconfigured. The alg: none attack lets a forged token pass verification if the server accepts unsigned tokens. Always whitelist acceptable algorithms when calling your JWT library and never let the token itself choose the verification algorithm.
