Input JWT Token

Decoded Token

Paste a token to decode

Header



            
Payload

            

        

    

    
    







Similar Tools
 

Zero Width Character Encoder/Decoder
    

Zero Width Character Remover
    

Sha256 Decrypt
  



What is JWT Token?



Imagine you are logging into a website. Instead of the server having to check your username and password every single time you load a 
new page, which would be slow and annoying, it hands you a little digital "hall pass" that says "Yep, this person is already logged in, let them through.""
That hall pass is basically what a JWT (JSON Web Token) is.    




JWT (pronounced "jot") is JSON Web Token mainly used in exchange of information. At its core, it's a compact, URL-safe way to 
represent claims (pieces of information) between two parties - usually a client (your browser or mobile app) and a server.
You can read more about JWT token on wikipedia.




In modern web development, if you have worked with APIs, authentication, or single sign-on systems, you've almost certainly run into JWT.
It has widespread use case in modern application ranging from protecting REST APIs to handling login sessions in React, Node.js, 
Vue, or Angular apps.





Structure of JWT Tokens


A JWT looks like a long random string, something like this:




The above token might look complicated to you, but if you will observe it, you will find it constituted by three parts separated by '.'

  • Header: It depicts which algorithm was used to sign the token (e.g., HS256 or RS256)
    •  
   

    

  • Payload: The actual data (claims) like user ID, email, roles, expiration time, etc.
    • 
   

    

  • Signature: A cryptographic signature that proves the token hasn't been tampered with.
The server takes the header + payload, signs it with a secret key. If even one character in the header or payload changes, the 
signature will not match anymore.

    • 

    


    

    Types of JWT Tokens?
    

    
 There is officially no type in JWT tokens but in practice, developers use the same format for a couple different jobs: 
    

  • Access Tokens: This short-lived (minutes to hours), contain user info and permissions and used for actually calling APIs.
    •   

  • Refresh Tokens: This type of token is longer-lived, usually opaque (not JWTs), but sometimes people do make them JWTs too. Their only job is to 
    get a new access token when the old one expires.
    • 

  • ID Tokens: The JWT tokens are used in OpenID Connect (basically OAuth2 + identity layer). These are JWTs that tell you who the user is (email, 
    name, etc.). They are meant for the client app, not the API.
    •     


    

    How JWT Token Decoder Works?
    

    
JWT Decoder is simply a tool, might be an online tool, that provided solution to convert long scary looking JWT into JSON format so that
you can see what is inside it. There are plenty of times you might need this tool like you you want to see whats inside the token provided by
others for security purpose. If you have creating your own JWT, then using this tool, you can check whether it is working or not.

    

    The working of JWT decoder is very simple. It just splists the long string from dot, which connects different parts(header, payload, signature)

    

    Upon splitting, it get converted into three base64url strings. Base64url-decode the first part -> header JSON.
    Base64url-decode the second part -> payload JSON. (Optional) Take the header + payload, re-create the signature using the secret/key you have, and 
    compare it to the third part. If they match -> token is valid and untampered. Quite simple steps, not for human but for machines.