What Is a JWT?
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are the backbone of modern authentication systems — when you log in to a web application, the server typically issues a JWT that your browser sends with every subsequent request to prove your identity.
JWTs are defined by RFC 7519 and are used in OAuth 2.0, OpenID Connect, and countless custom authentication schemes. They are self-contained, meaning all the information needed to verify the token is encoded within the token itself — no database lookup required.
The Three Parts of a JWT
Every JWT consists of three parts separated by dots:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNjE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
|___________________________________|.___________________________________|.__________________________|
Header Payload SignatureHeader
The header is a Base64URL-encoded JSON object that specifies the token type and the signing algorithm. The most common algorithms are HS256 (HMAC with SHA-256) and RS256 (RSA with SHA-256):
{
"alg": "HS256",
"typ": "JWT"
}Payload (Claims)
The payload contains claims — statements about the user and additional metadata. There are three types of claims:
{
"sub": "1234567890", // Registered claim: subject
"name": "Alice", // Public claim: user's name
"iat": 1616239022, // Registered claim: issued at
"exp": 1616242622, // Registered claim: expiration
"role": "admin" // Private claim: application-specific
}Registered claims are predefined by the JWT spec: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID). Public claims are user-defined but should be collision-resistant. Private claims are custom claims agreed upon between the parties.
Signature
The signature is created by taking the encoded header, the encoded payload, a secret key, and the algorithm specified in the header. It ensures the token has not been tampered with:
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)Token Expiration
The exp claim is a Unix timestamp that defines when the token expires. After this time, the server should reject the token. Short-lived tokens (15 minutes to 1 hour) are common for access tokens, while refresh tokens may last days or weeks. When debugging authentication issues, checking the exp claim is often the first step — many "unauthorized" errors are simply expired tokens.
How to Use the JWT Decoder
The JWT Decoder instantly breaks down any JWT into its components:
- Paste a JWT into the input field — the full token string with all three parts.
- View the decoded header with the algorithm and token type.
- Inspect the payload — all claims are displayed in formatted JSON. Timestamp claims like
expandiatare converted to human-readable dates. - Check expiration status — the tool tells you whether the token is still valid or has expired.
Security Notes
There are important security considerations to keep in mind when working with JWTs. First, the payload is not encrypted — it is merely Base64-encoded, which means anyone can decode it. Never store sensitive information like passwords or credit card numbers in a JWT payload.
Second, always validate the signature on the server side. A JWT without signature verification is no better than a plain JSON object. The signature ensures the token was issued by a trusted party and has not been modified.
Third, beware of the "none" algorithm attack. Some JWT libraries accept tokens with "alg": "none", which means no signature verification. Always explicitly specify which algorithms your server accepts.
The PulpMiner JWT decoder runs entirely in your browser — your tokens are never sent to any server. Try the JWT Decoder to inspect any token instantly.