JWT Decoder & Encoder

What are JWTs?

JSON Web Tokens (JWT) are an open, industry standard (RFC 7519) method for representing claims securely between two parties. They are widely used for authentication and information exchange in modern web applications and APIs.

How does it work?

To Decode: Simply paste your existing JWT into the "Encoded" text area on the left. The tool will instantly parse the token and display its decoded Header and Payload on the right.

To Encode & Sign: Make any modifications to the JSON in the "Decoded" Header or Payload sections. Select your signing algorithm and provide your secret or private key in the "Verify Signature" section. The tool will automatically rebuild, sign, and display your successfully encoded, valid JWT on the left side!

Structure of a JWT

A JWT consists of three parts separated by dots (.), which are the Header, Payload, and Signature. Because of this structure, a JWT usually looks like this: xxxxx.yyyyy.zzzzz.

• Header: Typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
• Payload: Contains the claims (statements about an entity and additional data). There are registered, public, and private claims.
• Signature: Used to verify the message wasn't changed along the way.

Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that combination. For example, if you want to use the HMAC SHA256 algorithm, the signature will be created in this way:

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Common Use Cases for JWT

JWTs are most commonly used for Authorization and Information Exchange. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Because tokens can be signed, you can be sure the senders are who they say they are.

Security Considerations

Never put secret information in the payload or header elements of a JWT unless it is encrypted. JWTs are signed to protect against tampering, but they are generally base64-encoded, not encrypted, meaning anyone can decode them. Always use HTTPS to protect the token during transport.