JWT Decoder & Encoder

JWT Decoder & Encoder
Quick Actions:
Note: JWT encoding is done client-side. Never use production secrets here.
About JWT

JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties.

Structure:

  • Header - Algorithm & token type
  • Payload - Claims (data)
  • Signature - Verification
Common Claims
  • iss - Issuer
  • sub - Subject
  • aud - Audience
  • exp - Expiration Time
  • nbf - Not Before
  • iat - Issued At
  • jti - JWT ID
Supported Algorithms
  • HS256 - HMAC SHA-256
  • HS384 - HMAC SHA-384
  • HS512 - HMAC SHA-512
  • RS256 - RSA (decode only)
  • ES256 - ECDSA (decode only)

JWT Decoder - Debug Tokens Without Sharing Your Secrets

Paste a JWT and see what's inside. Everything runs locally in your browser, so your tokens stay private. Essential when troubleshooting authentication flows or when you need to quickly inspect claims without writing code.

What is JWT?

JWT (JSON Web Token, pronounced "jot") is a compact token format defined in RFC 7519. It carries a JSON payload encoded in Base64URL and signed with a secret or key pair, letting servers trust the data without a database lookup. You'll find JWTs powering login sessions, API keys, and OAuth flows across the web.

What This Tool Does

  • Decodes any JWT right in your browser - nothing sent to a server
  • Shows header, payload, and signature in separate panels
  • Converts timestamps (exp, iat, nbf) to human-readable dates - for Unix timestamp work, use our timestamp converter
  • Warns you if the token is expired
  • Handles HS256, RS256, and other common hashing algorithms

JWT in Microservices Architecture

In microservices architecture, JWT plays a crucial role in enabling secure communication between services:

  • Stateless Authentication: Each microservice can independently validate tokens without calling a centralized auth service, reducing load and latency
  • Service-to-Service Communication: JWT allows secure propagation of user context across the service call chain
  • API Gateway: Gateway validates JWT once and passes decoded claims to downstream services
  • Horizontal Scaling: No server-side state makes scaling simple - any instance can handle any request
  • Unified Authorization: Roles and permissions in the token enable consistent access control across all services

JWT Best Practices for Microservices

  • Short Expiration: Use access tokens with 5-15 minute exp and refresh tokens for renewal
  • Asymmetric Keys: RS256/ES256 for production - private key only on auth service, public key on all consumers
  • Minimal Payload: Store only essential claims - user_id, roles, tenant_id. Fetch details separately
  • Audience Validation: Specify aud claim to prevent token misuse across different services
  • Token Revocation: Implement a blacklist for critical scenarios (logout, password change)

When You'll Need This Tool

  • Debugging "401 Unauthorized" API errors
  • Checking what claims your backend actually sends
  • Verifying token expiration during development
  • Learning how JWT structure works
  • Quick inspection without writing code

Related Tools

Base64 Encoder/Decoder URL Encoder/Decoder Hash Generator HMAC Generator

JWT Questions

A signed JSON blob that servers can trust without database lookups. Contains claims (who you are, what you can do, when it expires) plus a signature proving it wasn't tampered with.

Header (algorithm used), Payload (the actual data/claims), Signature (proof it's legit). Each part is Base64URL encoded, separated by dots.

The signature is secure - tampering is detectable. But the payload is just encoded, not encrypted. Anyone can read it. Don't put secrets in there. And always use HTTPS.

Standard ones are iss (who issued it), sub (who it's for), exp (when it expires), iat (when issued). Add custom claims for roles, permissions, whatever your app needs.