Advertisement

JWT Inspector

Secure, client-side JSON Web Token decoding and debugging.

// Header data...
// Payload data...

Understanding JSON Web Tokens (JWT)

JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

1. The Header

The header typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as **HMAC SHA256** or **RSA**.

2. The Payload

Contains the **claims**. Claims are statements about an entity (typically, the user) and additional data like expiration time (`exp`) or issuer (`iss`).

3. The Signature

Created by taking the encoded header, the encoded payload, a secret, and the algorithm specified in the header to sign the result.

Decoding vs. Verification

It is a common misconception that JWTs are "encrypted." In reality, most JWTs are only **Base64URL encoded**. This means anyone who has the token can read the data inside it using a decoder like this one.

Important Security Note

Because the payload is easily readable, you should **never** put sensitive information like passwords, API keys, or private personal data inside a JWT payload.

No Passwords No SSN

Common JWT Claims Explained

  • iss (Issuer): Identifies the principal that issued the JWT.
  • sub (Subject): The user ID or unique identifier for the user.
  • exp (Expiration): The timestamp when the token becomes invalid.
  • iat (Issued At): The time when the JWT was generated.

Authentication Security Suite © 2025 · Privacy First