What is a JSON Web Token (JWT)?
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:
- Header: Typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
- Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
- Signature: Used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
Why Use Our Advance Online JWT Decoder?
Debugging authentication flows often requires inspecting the contents of a JWT. Our Advance Online JWT Decoder is designed for developers who need speed, security, and clarity.
100% Secure & Private
Unlike many other online tools, we perform all decoding client-side. Your sensitive tokens never leave your browser, ensuring no one else sees your data.
Instant Visualization
See the Header and Payload formatted as clean, highlighted JSON immediately. No more manually parsing Base64 strings.
Smart Timestamp Formatting
We automatically detect Unix timestamps (like iat, exp, nbf) and convert them into human-readable dates for easier debugging.
Premium Experience
A clean, ad-free, light-mode interface that is easy on the eyes, mobile-responsive, and developer-friendly.
How to Use the JWT Decoder
- Retrieve Your Token: Grab the JWT from your application's local storage, cookies, response headers, or API logs.
- Paste into the Input Field: Paste the token string into the large text area above. The tool will automatically validate the format.
- Analyze the Results: The tool will instantly split and decode the token. Use the tabs to switch between the Header, Payload, and partial Signature view.
- Verify Claims: Check the
exp(expiration) claim to see if your token is still valid, or inspect custom claims (like roles or permissions).
Other Related Important Sections
Understanding Standard Claims
The Payload often contains "Registered Claims", which are predefined by the JWT specification. While not mandatory, they are recommended:
| Claim | Full Name | Description |
|---|---|---|
| iss | Issuer | Identifies the principal that issued the JWT. |
| sub | Subject | Identifies the subject of the JWT (e.g., user ID). |
| aud | Audience | Identifies the recipients that the JWT is intended for. |
| exp | Expiration Time | Identifies the expiration time on or after which the JWT must not be accepted. |
| nbf | Not Before | Identifies the time before which the JWT must not be accepted. |
| iat | Issued At | Identifies the time at which the JWT was issued. |
Security Warning
Never store sensitive information (like passwords or credit card numbers) in the JWT payload. Base64 decoding is trivial, and anyone who intercepts the token can read its contents. The signature only protects against tampering, not reading.
When should you use JSON Web Tokens?
- Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.
- Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are.
Frequently Asked Questions & Troubleshooting
How to fix "Signature Verification Failed" (invalid_signature)?
This error occurs when the server cannot verify the token's integrity. Common causes include: using the wrong secret key (for HS256), mismatched public keys (for RS256), or if the token payload has been tampered with after signing.
Why do I get "JsonWebTokenError: jwt malformed"?
This generic error usually means the string provided is not a valid JWT. Ensure your token has exactly two dots (header.payload.signature) and contains no leading/trailing whitespace or hidden characters from copy-pasting.
What does "TokenExpiredError: jwt expired" mean?
It means the current time is beyond the timestamp in the exp (expiration) claim. You must either refresh the token or issue a new one with a longer validity period. Also check for server time synchronization issues (clock skew).
Can I decode a JWT without the secret key?
Yes. JWTs are encoded with Base64Url, not encrypted. Anyone can read the Header and Payload without the secret. The secret key is only required to verify that the signature is valid and untampered.
What is the difference between HS256 and RS256?
HS256 (HMAC with SHA-256) is a symmetric algorithm where the same secret is used to sign and verify. RS256 (RSA Signature with SHA-256) is asymmetric; it uses a Private Key to sign and a Public Key to verify.
Why am I seeing "Invalid Audience" (aud) errors?
This happens when the API expects a specific value in the aud claim that identifies who validly issued the token. Ensure your authorization server configuration matches the audience expected by your resource server.
Is it safe to store passwords in a JWT?
NO. Since the payload is easily decoded by anyone, you should never put sensitive information like passwords, social security numbers, or private emails in the JWT.
How should I pass the JWT in the HTTP Header?
The standard method is using the Authorization header with the Bearer schema. Format: Authorization: Bearer <token>. Ensure there is a single space between "Bearer" and your token string.