JWT Decoder
Decode a JSON Web Token (JWT) to inspect its header, payload, and signature. This tool runs entirely in your browser for maximum security.
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
They are commonly used for authentication and authorization in web applications. After a user logs in, the server creates a JWT and sends it to the client. The client then sends this JWT with every subsequent request to access protected resources.
A JWT consists of three parts separated by dots (`.`):
1. Header
...........
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA. This JSON is Base64Url encoded to form the first part of the JWT.
2. Payload
...........
The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are registered claims (like `iss` for issuer, `exp` for expiration time), public claims, and private claims. This JSON is Base64Url encoded to form the second part of the JWT.
3. Signature
...........
To create the signature, you take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign it. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.