DevToolBoxFREE
Blog

JWT Token Decoder

Decode and inspect JWT tokens online. View the header, payload, and signature from any JSON Web Token instantly.

JWT Structure Reference

JWT Structure

A JWT consists of three Base64URL-encoded parts separated by dots: Header.Payload.Signature

Header
Algorithm + Type
.
Payload
Claims / Data
.
Signature
Verification

Header Fields

FieldNameDescription
algAlgorithmSigning algorithm (HS256, RS256, ES256, etc.)
typTypeToken type, typically "JWT"
kidKey IDIdentifier for the signing key used
jkuJWK Set URLURL to the JSON Web Key Set
x5uX.509 URLURL to the X.509 certificate chain

Registered Payload Claims

ClaimNameDescription
issIssuerEntity that issued the JWT
subSubjectSubject of the JWT (user ID)
audAudienceRecipient(s) the JWT is intended for
expExpirationTimestamp after which the JWT expires
nbfNot BeforeTimestamp before which the JWT is not valid
iatIssued AtTimestamp when the JWT was issued
jtiJWT IDUnique identifier for the JWT

Frequently Asked Questions

What is a JSON Web Token (JWT)?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three parts: a Header (algorithm and token type), a Payload (claims/data), and a Signature. JWTs are widely used for authentication and authorization in web applications and APIs.
Can a JWT be decoded without the secret key?
Yes, the header and payload of a JWT are only Base64URL-encoded, not encrypted. Anyone with the token can decode and read these parts. The secret key is only needed to verify the signature, which confirms the token has not been tampered with. This is why you should never store sensitive information in the JWT payload.
What is the difference between JWT and session cookies?
Session cookies store a session ID on the client, with the actual session data kept on the server. JWTs are self-contained tokens that carry all necessary data within the token itself. JWTs are stateless and work well in distributed systems and APIs, while session cookies require server-side storage. JWTs can be larger than session IDs but eliminate the need for server-side session lookups.

Related JWT Tools

๐• Twitterin LinkedIn

Rate this tool

4.0 / 5 ยท 145 ratings

More Tools

JWTJWT DecoderJPJWT ParserJVJWT Validatorโ†’BBase64 Decoder

Recommended

CloudflareFree CDN & DDoS protection

Stay Updated

Get weekly dev tips and new tool announcements.

No spam. Unsubscribe anytime.

Enjoy these free tools?

โ˜•Buy Me a Coffee