JWTJWT Decoder
Decode and inspect JWT tokens
JWT Decoder Complete Guide
JWT (JSON Web Token, RFC 7519) is a token format for safely transmitting authentication info and claims. This tool instantly decodes JWTs to inspect headers, payloads, and expiration status. Essential for backend auth debugging, expiry validation, and claim inspection.
Enhanced Features
- Expiration Status: ✅ Valid / ❌ Expired at a glance
- Time Until Expiration: Days, hours, minutes
- Key Claims Extraction: iss, sub, exp, iat, nbf neatly displayed
- Color Coding: Header (red), Payload (purple)
- Sample Token: Quick test data
Standard JWT Claims
| Claim | Meaning | Example |
|---|---|---|
| iss | Issuer | "https://auth.example.com" |
| sub | Subject | "user-123" |
| aud | Audience | "my-app" |
| exp | Expiration | 1916239022 |
| iat | Issued At | 1516239022 |
| nbf | Not Before | 1516239022 |
| jti | JWT ID | "unique-id-123" |
JWT Security Best Practices
- Use 256-bit+ secrets (HS256) or RSA 2048+
- Short JWT expiration + Refresh Token pattern
- HTTPS only (never transmit in plaintext)
- Algorithm validation (prevent alg=none attacks)
- Don't put sensitive data in Payload
⚠️ Note: JWT is digital signature, NOT encryption. Payload is decodable by anyone.
🔗Related Tools🔐 Crypto / Security
#
Hash Generator
Generate MD5, SHA-256, SHA-512 hashes
SGN
JWT Token Generator
Generate signed JWT tokens with HS256 from a JSON payload and secret
***
Password Generator
Generate secure random passwords
STR
Password Strength Meter
Measure password strength with zxcvbn — entropy, crack time estimate, and suggestions, all in-browser