What is a JWT?

A JSON Web Token (JWT), pronounced "jot," is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

The Structure of a JWT

A JWT consists of three parts separated by dots (`.`):

Header.Payload.Signature

• Header: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 (HS256) or RSA. This JSON is Base64Url encoded to form the first part of the JWT.
• Payload: The payload contains the "claims." Claims are statements about an entity (typically, the user) and additional data. There are registered claims (like `iss` for issuer, `exp` for expiration time, `sub` for subject), public claims, and private claims. The payload JSON is also Base64Url encoded to form the second part of the JWT.
• Signature: To create the signature part, you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. This signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

Why is Signature Verification So Important?

The signature is the most critical part of a JWT. While anyone can decode the header and payload to see the information inside, only the party that holds the secret key can create a valid signature. When a server receives a JWT, it performs the same signature calculation using the header, payload, and its secret key. If the signature it generates matches the signature on the token, it proves two things:

1. Authenticity: The token was created by a trusted party that holds the secret key.
2. Integrity: The header and payload have not been tampered with since the token was signed. Any change to the content would result in a different signature, causing verification to fail.

Never trust a JWT without verifying its signature! Our tool allows you to do this by providing the secret or public key.

Common Use Cases for JWTs

• Authentication: This is the most common scenario. When a user logs in, the server creates a JWT and sends it to the client. The client then includes this JWT in the header of subsequent requests. The server can verify the token to authenticate the user without needing to look up their session in a database.
• Authorization: Once a user is logged in, a JWT can contain information about their role and permissions (e.g., `role: "admin"`). The server can inspect the payload to determine what resources the user is allowed to access.
• Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, meaning you can be sure the sender is who they say they are.

Frequently Asked Questions (FAQs)

1. How do I use the JWT Decoder?

Simply paste your full JWT string into the "Encoded JWT" text area. The tool will automatically decode the Header and Payload and display them. To verify the signature, paste the corresponding secret or public key into the verification box.

2. Is this tool secure? Is my token or key being saved?

This tool is 100% secure. All decoding and signature verification happens directly in your web browser using JavaScript. Your JWT and your secret key are never sent to our servers, stored, or seen by anyone.

3. Is a JWT encrypted?

No, by default, a JWT is only encoded and signed. The payload is Base64Url encoded, which is easily reversible, not encrypted. Anyone can see the data inside. If you need to send sensitive information, you should use a JWE (JSON Web Encryption) or ensure your communication is over a secure channel (HTTPS).