JWT Decoder/Encoder
Development tool for JSON Web Token (JWT) processing supporting decoding to view JWT content, verifying signature validity, and encoding to generate new JWTs with multiple algorithms. Suitable for API development, authentication debugging, and token analysis.
What is JWT
JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties. JWT consists of three parts: Header, Payload, and Signature, separated by periods.
Header contains token type and signing algorithm; Payload contains Claims (actual transmitted data); Signature verifies token hasn't been tampered with. JWT widely used for web application authentication, single sign-on, API authorization, etc.
Key Features
Paste JWT for auto-decode displaying header and payload JSON content. Supports verifying signature validity with secret key (symmetric) or public key (asymmetric) ensuring token hasn't been tampered with.
Supports common JWT signing algorithms including symmetric (HS256, HS384, HS512) and asymmetric (RS256, RS384, RS512, ES256, ES384, ES512, etc.).
Can customize header and payload content, select signing algorithm, input secret or private key to generate standard-compliant JWT. Supports setting expiration time auto-calculating exp field. Decoded header and payload display as formatted JSON with intuitive verification results.
How to Use
Switch to "Decode" mode, paste complete JWT string in input box for auto-decode displaying header and payload content. View claims info in token, click copy button to get JSON content.
To verify signature, paste JWT in decode mode, check alg field in header for signing algorithm, input secret or public key based on algorithm type. Tool auto-verifies signature showing results.
To encode/generate JWT, switch to "Encode" mode, select signing algorithm, edit payload content adding custom claims, set expiration like 2h (2 hours), 30m (30 minutes), 1d (1 day), input secret or private key. Tool auto-generates JWT.
Signing Algorithm Explanation
Symmetric Algorithms (HMAC): HS256/HS384/HS512 use HMAC SHA algorithms. Symmetric algorithms use same key for signing and verification, suitable for server-side internal use requiring strict key secrecy.
Asymmetric Algorithms (RSA/ECDSA): RS256/RS384/RS512 use RSA public key cryptography (private key signs, public key verifies). ES256/ES384/ES512 use elliptic curve digital signatures (private key signs, public key verifies). Asymmetric algorithms suitable for distributed systems; public keys can be distributed openly for verification.
Application Scenarios
When developing APIs, decode JWT to view user info and permission claims in requests, verify signatures ensuring tokens from trusted sources. Analyze third-party service returned JWTs understanding token structure and user info. In development environments, generate test JWTs simulating different users, permissions, or expiration times to test application authentication logic. Check if JWT contains sensitive info, verify signing algorithm security.
Important Notes
JWT is encoded and signed, not encrypted. Anyone can Base64 decode to view payload content. Signatures only verify tokens haven't been tampered with, don't protect content privacy.
JWT contains complete payload info making tokens large. When transmitting in HTTP headers, overly large JWTs may cause performance issues; keep payloads minimal. Once issued, JWTs can't be revoked before expiration. If revocation needed, must maintain server-side blacklist losing JWT's stateless advantage.
JWT exp and iat fields depend on system clock; ensure server clock synchronization. Tokens and keys input in this tool process locally in browser without uploading to servers, but still recommend not using this tool with production environment real keys.
Tool Comparison
Similar JWT tools include jwt.io, JWT Debugger, online-jwt-decoder. jwt.io is most popular JWT debugging tool provided by Auth0 supporting rich algorithms and visualization. This tool provides similar functionality with all processing completing locally in browser without third-party service dependencies, better protecting privacy. For complex JWT management needs, recommend using professional authentication services like Auth0, Firebase Authentication, Keycloak, etc.
