JWT Token Decoder

A JSON Web Token (JWT) is a compact, URL-safe way of representing claims to be transferred between two parties. JWTs are commonly used for:

• Authentication: After login, a JWT is issued and sent with each request
• Authorization: JWTs contain claims about what the user can access
• Information Exchange: Securely transmitting data between parties

JWTs are self-contained, meaning all necessary information is in the token itself.

A JWT consists of three parts separated by dots (.):

• Header: Contains the token type and signing algorithm (e.g., RS256, HS256)
• Payload: Contains the claims - statements about the user and metadata
• Signature: Verifies the token hasn't been tampered with

Example: eyJhbGc....eyJzdWI....SflKxw...

Standard JWT claims (registered claims) include:

• iss (Issuer): Who issued the token
• sub (Subject): Who the token represents
• aud (Audience): Intended recipient
• exp (Expiration): When the token expires
• iat (Issued At): When the token was issued
• nbf (Not Before): Token not valid before this time
• jti (JWT ID): Unique token identifier

• Always verify signatures: Don't trust decoded data without verification
• Check expiration: Always validate exp claim before accepting tokens
• Use HTTPS: JWTs should only be transmitted over secure connections
• Keep secrets secure: Never expose signing keys in client-side code
• Use appropriate algorithms: Prefer RS256 over HS256 for public clients
• Set short expiration: Access tokens should be short-lived (minutes, not days)