JWT Decoder

What Are JSON Web Tokens?

JSON Web Tokens (JWTs) are a compact, URL-safe format for transmitting claims between two parties. A JWT consists of three parts separated by dots: a header, a payload, and a signature. Each part is Base64url-encoded JSON. JWTs are the standard for authentication tokens in modern web applications, mobile apps, and APIs.

The Three Parts

The header contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256). The payload contains claims — statements about the user and metadata. Common claims include iss (issuer), sub (subject), exp (expiration), iat (issued at), and aud (audience). The signature is created by signing the header and payload with a secret key, ensuring the token hasn't been tampered with.

JWT vs Session Tokens

Traditional session tokens are opaque strings stored in a server-side database. JWTs are self-contained — all user information is encoded in the token itself. This makes JWTs stateless (no server-side storage needed), ideal for microservices and distributed systems. However, this also means JWTs can't be easily revoked, which is a key trade-off.

Security Considerations

JWTs have known security risks. The "none" algorithm attack tricks servers into accepting unsigned tokens. Algorithm confusion attacks switch between HMAC and RSA verification. Always validate the algorithm on the server side. Never trust client-provided JWTs without verifying the signature. Set short expiration times and use refresh token rotation for better security.

JWTs in OAuth 2.0 and OpenID Connect

OAuth 2.0 uses JWTs for access tokens and sometimes refresh tokens. OpenID Connect (built on OAuth 2.0) uses JWTs for ID tokens that contain user identity information. Understanding JWT structure helps developers debug authentication flows, verify token contents, and troubleshoot login issues in production applications.