JWT Decoder

A JWT Decoder inspects JSON Web Tokens by decoding their three component parts. JWTs are used extensively in modern web applications for authentication and information exchange. A JWT consists of three Base64-encoded sections separated by dots: the header which describes the token type and signing algorithm, the payload which contains the claims or data, and the signature which verifies that the token has not been tampered with.

The header typically contains the token type and the signing algorithm used. Common algorithms include HS256 for HMAC with SHA-256 using a shared secret key, RS256 for RSA with SHA-256 using a public-private key pair, and ES256 for ECDSA with SHA-256. The algorithm determines how the signature is generated and verified.

The payload contains the claims which are statements about the user or entity and additional metadata. Standard claims include sub for the subject identifier, iat for the issued-at timestamp, exp for the expiration time, and iss for the token issuer. Custom claims can include user roles, permissions, and application-specific data.

Developers use JWT decoders during development and debugging of authentication systems. When a token is generated by the authentication service, decoding it confirms that the correct claims are included. When an API rejects a token, decoding reveals whether the claims are correct or if the token has expired. A JWT inspector is essential for troubleshooting authentication flows.

Security researchers decode JWTs during security assessments to examine the claims and identify potential vulnerabilities. A token with an excessively long expiration time increases the risk window if the token is stolen. Tokens containing sensitive data in the payload expose that data because the payload is only Base64-encoded, not encrypted. Anyone who possesses the token can decode and read the payload contents.

The signature section is displayed but not verified during basic decoding because verification requires knowledge of the secret key or public key. The decoder shows the raw signature as a hexadecimal or Base64-encoded value. Developers can compare the signature against a known good value to detect tampering.

The decoder performs Base64 decoding on each section and presents the resulting JSON in a formatted, readable display. The header and payload are parsed as JSON objects with syntax highlighting. Invalid base64 encoding, malformed JSON, or incorrect token structure are flagged as errors that need correction.

Token expiration is checked against the current time. If the exp claim indicates the token has expired, a warning is displayed. Similarly, the nbf not-before claim is checked to see if the token is being used before its valid start time. These automatic checks help developers identify common token usage issues quickly.