JWT Decoder & Encoder
Decode, inspect, and encode JWT tokens with full claim details and expiration status.
The actual signature will use HMAC. Production use requires server-side secret handling.
JWT Structure
A JWT consists of three parts separated by dots: header.payload.signature
Common JWT Claims
iss - Issuer: Organization or app that created the token
sub - Subject: Unique identifier for the user
aud - Audience: Intended recipient of the token
exp - Expiration Time: Unix timestamp when token expires
nbf - Not Before: Unix timestamp before which token is not valid
iat - Issued At: Unix timestamp when token was created
jti - JWT ID: Unique identifier for the token
Supported Algorithms
HS256 - HMAC with SHA-256. Symmetric key (same secret for signing and verifying).
HS384 - HMAC with SHA-384. Similar to HS256 but with longer hash.
HS512 - HMAC with SHA-512. Most secure HMAC variant.
RS256 - RSA with SHA-256. Asymmetric (public/private key pair). Not available in this tool.
Example JWT Payload
{
"sub": "[email protected]",
"iss": "https://myapp.com",
"aud": "mobile-app",
"exp": 1704067200,
"iat": 1704063600,
"name": "John Doe",
"role": "admin"
} When to Use JWTs
- API authentication and authorization
- Single Sign-On (SSO) systems
- Session management in stateless services
- Microservice communication
- Mobile app authentication
How to Use the JWT Decoder
Paste your JWT token into the decoder input field. The tool automatically parses the three parts (header, payload, signature) and displays them as formatted JSON. Standard claims like expiration time are converted to human-readable dates, and you'll see the current expiration status with a countdown. All processing happens in your browser — your token data is never sent anywhere.
Understanding JWT Structure
A JWT is composed of three Base64-encoded segments separated by periods:
- Header: Specifies the token type (JWT) and the signing algorithm (e.g., HS256, RS256).
- Payload: Contains the claims or data you want to transmit (user info, permissions, etc.).
- Signature: Ensures the token hasn't been tampered with. Created using the header, payload, and a secret key.
What This Tool Does
The JWT Decoder provides three main features:
- Decode: Parse a JWT token and display header, payload, and signature as readable JSON.
- Inspect Claims: See all claims with automatic date conversion for timestamps (exp, iat, nbf).
- Check Expiration: Instantly see if a token is expired or valid, with exact expiration dates.
- Encode: Create custom JWT tokens with your own header and payload for testing.
Common JWT Use Cases
- API Authentication: JWTs serve as bearer tokens in Authorization headers.
- Session Management: Replace traditional session cookies with stateless JWT tokens.
- Single Sign-On: Share user identity across multiple services without a central session store.
- Microservices: Enable secure communication between independent services.
- Mobile Apps: Provide lightweight authentication that doesn't rely on server-side sessions.
JWT Security Best Practices
- Keep secrets secret: Never expose your signing key in client-side code or public repositories.
- Validate signatures: Always verify the signature server-side using your secret key.
- Set expiration times: Use the 'exp' claim to limit token lifetime and reduce risk if compromised.
- Use HTTPS: Always transmit JWTs over encrypted connections.
- Validate claims: Check iss (issuer), aud (audience), and other claims on the server.
Frequently Asked Questions
- What is a JWT (JSON Web Token)?
- A JWT is a compact, URL-safe token that encodes claims (data) as JSON. It consists of three parts (header, payload, signature) and is commonly used for API authentication and session management.
- How do I decode a JWT token?
- Paste your JWT token into the decoder input field. The tool automatically parses all three parts and displays them as formatted JSON with human-readable timestamps.
- What are the most common JWT claims?
- Common claims include iss (issuer), sub (subject/user), aud (audience), exp (expiration), iat (issued at), nbf (not before), and jti (unique ID). Custom claims can be added for app-specific data.
- Can this tool verify JWT signatures?
- The decoder can show you the signature but cannot verify it without the server's secret key. Signature verification must be done server-side for security. This tool is for inspection and debugging.
- Is my token data safe when I decode it?
- Yes. All decoding happens entirely in your browser. Your JWT tokens are never sent to any server. They remain on your device at all times.
- Can I create a JWT with this tool?
- Yes. Use the Encoder tab to input custom header and payload JSON, select an algorithm, and optionally provide a secret for testing. Note that production use requires proper server-side secret handling.
- What does it mean if a token is 'expired'?
- A JWT is expired when the current time is past the 'exp' (expiration time) claim. Expired tokens are typically rejected by servers during authentication and should not be accepted.
- Can I use this tool for production tokens?
- This tool is designed for debugging and testing JWT tokens. For production use, always validate tokens server-side with your secret key. Never send real production secrets to any client-side tool.
Love using BreezyTools?
Go Pro for an ad-free experience, priority features, and support independent development — for less than a coffee a month.