🎫 JWT Decoder
Decode and inspect JSON Web Tokens. Analyze header, payload, and signature.
Token Structure
. .
Header Payload Signature
Header
Payload
Payload Analysis
Signature
Base64URL encoded signature:
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Principal that issued the JWT |
| sub | Subject | Subject of the JWT (usually user ID) |
| aud | Audience | Recipients the JWT is intended for |
| exp | Expiration | Time after which JWT is invalid (Unix timestamp) |
| nbf | Not Before | Time before which JWT is not valid |
| iat | Issued At | Time when JWT was issued |
| jti | JWT ID | Unique identifier for the JWT |
Security Considerations
- • alg: none - Tokens with algorithm "none" bypass signature verification
- • Algorithm confusion - Changing RS256 to HS256 can allow forging tokens
- • Weak secrets - Short or predictable secrets can be brute-forced
- • Missing exp - Tokens without expiration never expire
- • Sensitive data - Never store secrets in JWT payload (it's only Base64 encoded)