The Dev Tools - Free Online Developer Utilities

JWT Token:

Paste a JWT token to decode its header, payload, and signature

About JWT (JSON Web Tokens)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are digitally signed, which ensures that the claims cannot be altered after the token is issued.

JWT Structure

A JWT consists of three parts separated by dots (.):
• Header: Contains metadata about the token (type of token and signing algorithm)
• Payload: Contains the claims (statements about an entity)
• Signature: Verifies that the message hasn't been changed

Common Use Cases

Authentication: Single sign-on, user sessions
Authorization: Access control and permissions
Information Exchange: Secure data transmission
API Security: Stateless authentication for APIs
Microservices: Service-to-service communication

Tips

Always use HTTPS to transmit JWTs
Keep tokens short-lived with appropriate expiration
Don't store sensitive data in the payload (it's base64 encoded, not encrypted)
Use strong secrets for signing
Validate all claims during verification
Implement token revocation when needed

Common Claims

iss (Issuer): Who issued the token
sub (Subject): Who the token refers to
aud (Audience): Who the token is intended for
exp (Expiration Time): When the token expires
nbf (Not Before): When the token starts being valid
iat (Issued At): When the token was issued
jti (JWT ID): Unique identifier for the token

Best Practices

Store tokens securely (httpOnly cookies for web apps)
Implement proper error handling for invalid tokens
Use appropriate algorithms (e.g., RS256 for public key infrastructure)
Keep payload size small for better performance
Include only necessary claims
Implement refresh token rotation for better security

Common Algorithms

HS256: HMAC with SHA-256 (symmetric)
RS256: RSA with SHA-256 (asymmetric)
ES256: ECDSA with SHA-256 (asymmetric)
PS256: RSA-PSS with SHA-256 (asymmetric)
none: No digital signature (not recommended)