What Is a JSON Web Token (JWT)?

A JSON Web Token is a compact, URL-safe token format used for securely transmitting information between parties. JWTs consist of three Base64URL-encoded parts separated by dots: Header.Payload.Signature. They're widely used for authentication (OAuth 2.0, OpenID Connect), session management, and API authorization.

JWT Structure Explained

Header — Contains the signing algorithm (HS256, RS256, etc.) and token type
Payload — Contains claims (statements about the user and metadata like expiration)
Signature — Created by signing the header and payload with a secret key or private key

Standard JWT Claims

Claim	Name	Description
iss	Issuer	Who created the token
sub	Subject	Who the token is about (usually user ID)
aud	Audience	Who the token is intended for
exp	Expiration	When the token expires (Unix timestamp)
iat	Issued At	When the token was created
nbf	Not Before	Token is not valid before this time
jti	JWT ID	Unique identifier for the token

JWT Security Best Practices

Always verify the signature before trusting a JWT
Use short expiration times (15-30 minutes for access tokens)
Never store sensitive data in the payload (it's only Base64 encoded, not encrypted)
Use RS256 over HS256 for public-facing APIs
Implement token refresh mechanisms

FAQ

Is JWT decoding safe?

Yes, JWT decoding is completely safe — the header and payload are simply Base64URL encoded, not encrypted. Anyone can decode them. The security of JWT comes from the signature verification, not from hiding the payload.

Can this tool verify JWT signatures?

This tool can decode and inspect JWT tokens, but signature verification requires the secret key (HS256) or public key (RS256), which we don't have access to. It will check if the token is expired based on the exp claim.

JWT Decoder & Validator

What Is a JSON Web Token (JWT)?

JWT Structure Explained

Standard JWT Claims

JWT Security Best Practices

FAQ

Related Tools