JWT Decoder
Quickly and easily decode JSON Web Tokens (JWT) instantly. Paste your JWT Token below.
Quickly and easily decode JSON Web Tokens (JWT) instantly. Paste your JWT Token below.
A JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and information exchange in REST APIs, OAuth flows, and SSO systems. JWTs consist of three base64url-encoded parts: header.payload.signature.
Security note: JWT payloads are base64-encoded, not encrypted — anyone with the token can read the payload. Never store sensitive data in JWT payloads.
The payload can be modified, but the signature will then be invalid and the server should reject it. This relies on the server properly verifying the signature. The "alg: none" attack exploited poorly implemented libraries that accepted unsigned tokens. Always verify signature, validate exp, and reject tokens with alg: none.
Session cookies store a session ID on the server and send a cookie reference to the client. JWTs are self-contained — the server doesn't need to look anything up, making JWTs stateless and scalable. The tradeoff: JWTs can't be invalidated before expiry without a token blacklist, whereas session cookies can be instantly invalidated by deleting the server-side session.