JWT Decoder

What is a JWT (JSON Web Token)?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Structure of a JWT

A standard JSON Web Token consists of three parts separated by dots (.):

• Header: Contains the type of token (JWT) and the signing algorithm used (e.g., HMAC SHA256 or RSA).
• Payload: Contains the claims or the actual data being transmitted (e.g., user details, token expiration).
• Signature: Used to verify the integrity and origin of the token. It is calculated by encoding the header and payload and signing them with a secret key.

JWT Encoding vs Decoding

Encoding involves taking the JSON data (Header and Payload) and converting it into a base64-url string format so that it can be easily passed through URLs, HTTP headers, or HTML parameters.

Decoding, which our tool performs, reverses this base64-url format back into readable JSON. Note: Decoding a JWT does not require the secret key. Anyone with the token can decode the header and payload. That is why sensitive information (like passwords) should never be placed in a JWT payload. Verification is what requires the secret key to ensure the token has not been tampered with.

JWT Best Practices

• Do not store sensitive data: Because anyone can decode the payload, never put passwords or sensitive personal information inside a JWT.
• Keep tokens short-lived: Add an expiration time (exp claim) to reduce the window of opportunity if the token is compromised.
• Always verify the signature: Before trusting the data in the token payload on your server, make sure to verify the token signature using the appropriate secret or public key.
• Use secure transmission: Always send JWTs over HTTPS to prevent interception of the token string.