JWT Decoder

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications. They consist of three parts: header, payload, and signature.

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (specifies the signing algorithm and token type), the Payload (contains the claims or data), and the Signature (verifies the token has not been tampered with). Example: xxxxx.yyyyy.zzzzz

You can decode a JWT client-side to read its header and payload, but you cannot fully verify the signature without the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA). This tool decodes the token for inspection purposes — signature verification should be done server-side.

Session-based authentication stores session data on the server and sends a session ID to the client. JWT authentication stores all necessary data in the token itself (stateless), making it easier to scale across multiple servers. JWTs are self-contained but larger, while sessions require server-side storage.

Common JWT claims include: sub (subject — who the token is about), iss (issuer — who created the token), aud (audience — who the token is for), exp (expiration time), iat (issued at), nbf (not before), and jti (JWT ID — unique identifier). Custom claims can also be added for application-specific data.