JWT Decoder/

Your data is 100% private -- JWT is fully decoded and encoded directly on your device.

JWT
Decoded header
Decoded payload
Public key

Learn about JWT

All information you concern about JWT and step-by-step guide to verify JWT in diverse framework.

What is JWT?

JWT (JSON Web Token) is a self-contained, stateless token that carries information in a structured and readable format. Whether you’re protecting an API or adopting token-based authentication for your application, JWTs are a powerful tool, because they:

  • Stateless: JWTs are self-contained and do not require server-side state to validate. JWT can ensure data integrity via signatures.
  • Cross-service compatibility: JWTs can be easily shared and verified across different services.
  • Extensible: The payload of a JWT can contain custom claims, allowing for flexible authorization and info sharing.
Learn more

The structure of JWT

A typical JWT is split into three parts, each encoded in Base64URL and separated by periods (.):

  • Header - Contains metadata, such as the signing algorithm (e.g., HS256 or RS256) and the token’s type (JWT).
  • Payload - Contains the actual data, like user ID, user profile, expiration time, or scopes.
  • Signature - A hashed combination of the Header, Payload, and secured using a secret key. Its purpose is to ensure the token's integrity and confirm that it has not been altered

This structure enables JWTs to provide a compact, secure way of transmitting information between parties.

jwt_structure

Common token claims in JWT

The claims are part of the payload and hold the key information. Here are standardized Registered Claims for your refer:

ClaimsFull nameDescription
issIssuerThe entity that issued the JWT, like the authorization server.
subSubjectIdentifies the JWT's subject, typically representing the authenticated user.
audAudienceSpecifies which recipients can accept and process the token. This can be an array of values for multiple audiences or a single value for a single recipient.
expExpiration TimeSets an expiration time on the token after which it becomes invalid. This helps prevent replay attacks by limiting how long a token remains valid.
nbfNot BeforeMakes a token valid only after this timestamp. Helpful in situations where clocks are not accessible.
iatIssued AtWhen the token was created. This can be used to determine the token's age.
jtiJWT IDA unique identifier for the token, useful to prevent the same token from being used multiple times (e.g., in replay attacks).

Depending on the specification and the configuration of the authorization server, additional claims may be included in the payload to support specific use cases. You can also add custom claims to JWT to meet unique business requirements.

Caution: Do not store private or sensitive information in JWT claims. While JWT claims are encoded (using Base64URL), they are not encrypted. This means anyone with the token can decode it and view the claims, even if they cannot alter it without invalidating the signature. Use encryption or other secure methods to safeguard sensitive data when necessary.

When to use JWT?

JWTs can be particularly beneficial in the following scenarios:

  1. Microservices architecture: For stateless authentication across multiple services.
  2. Single sign-on (SSO) systems: Enabling access to multiple applications with one authentication.
  3. Mobile applications: Efficiently maintaining user sessions across API calls.
  4. High-traffic applications: Reducing database load in high-volume environments.
  5. Cross-origin resource sharing (CORS): Simplifying authentication across multiple domains.
  6. Serverless architectures: Providing stateless authentication where server-side sessions are challenging.
Learn more

How to verify JWT?

The integrity of a JWT must be verified to ensure its header and payload have not been tampered with. Below are step-by-step examples for verifying JWTs in popular programming environments:

Related JWT topics

All information you concern about JWT and step-by-step guide to verify JWT in diverse framework.

Unlock more with Logto Cloud

Simplify your workflow and ensure secure user management with Logto Cloud. Built on OpenID Connect (OIDC), it leverages JWT to deliver a reliable authentication and authorization system designed to scale with your needs.