lotsoftools

JWT Decoder & Validator

Decode and validate JSON Web Tokens.

Payload

null

Header

null

How to use our JWT decoder

Our JWT decoder is a simple tool that allows you to decode and verify the signature of a JWT token. To use it, simply paste the JWT token in the input box above. If the token is valid, you will see the decoded header and payload.

If you want to verify the signature of the token, you can enter the secret in the signature input box and click on the verify signature button. If the signature is correct, you will see a green check mark next to the button.

What is JWT

JSON Web Token (JWT) is a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. You can read more about JWT best practices on Auth0's blog.

JWTs are designed to be compact, URL-safe, and usable across different programming languages. This makes them excellent candidates for data transmission across a wide variety of applications, such as:

  • Authentication: Once a user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. This reduces the need for repeated login prompts.
  • Information Exchange: JWTs are a good way of securely transmitting information between parties. Because JWTs can be signed, you can be sure the senders are who they say they are. Furthermore, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

How JWT works

A JWT typically consists of three parts: a header, a payload, and a signature:

  • Header: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
    algHS256
    typJWT
  • Payload: The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically the user) and additional data.
    iat1516239022
    exp1516239022
    nameJohn Doe
    roleadmin
  • Signature: To create the signature part, you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

These three parts are separated by dots (.) and form the JWT structure:header.payload.signature

The output is three Base64-URL strings separated by dots that can be easily sent via URL, POST parameter, or inside an HTTP header. The client will often store it locally, for example, using local storage. You can read more about JWT on jwt.io.

Note: Do not store sensitive data in the JWT payload or header. Anyone can decode the token and see its contents.