MyWebUtils: Free Online Dev Tools

JWT Decoder
Paste a JSON Web Token (JWT) to decode its Header and Payload.
No valid JSON data to display.
No valid JSON data to display.
Understanding JWT (JSON Web Tokens)

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three parts separated by dots (`.`): a Header, a Payload, and a Signature.

Header.Payload.Signature

  • Header: Typically consists of the token type (JWT) and the signing algorithm used (e.g., HMAC SHA256 or RSA).
  • Payload: Contains the "claims." Claims are statements about an entity (typically, the user) and additional data. Common claims include `sub` (subject/user ID), `name`, `exp` (expiration time), and `iat` (issued at).
  • Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

Why Do Developers Use JWTs?

  • Authentication & Authorization: This is the most common scenario. Once a user logs in, a JWT is issued. The user can then send this JWT with subsequent requests to access protected routes, services, or resources. The server can verify the signature to trust the token.
  • Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed—for example, using a public/private key pair—so you can be sure the senders are who they say they are.
  • Stateless Sessions: Because the token contains all necessary information about the user (the payload), the server doesn't need to store session state in a database. This makes scaling applications easier.

How This Decoder Helps

The Header and Payload of a JWT are simply Base64Url-encoded JSON objects, meaning anyone can decode them. This tool makes that process instant and easy.

  • Instant Debugging: Quickly paste a token from an HTTP request header to inspect its contents. Check the user ID, expiration time (`exp`), issued at time (`iat`), or any custom claims.
  • Verify Claims: Ensure the token you're working with contains the correct user information and permissions.
  • Expiration Check: The `exp` claim is a Unix timestamp. This tool can help you quickly determine if a token is expired without writing code.

Important: This tool only decodes the token. It does not verify the signature, which would require the secret key. Never share your secret key with any online tool.