Advertisement

JWT Decoder

Quickly and easily decode JSON Web Tokens (JWT) instantly. Paste your JWT Token below.

Advertisement

Understanding JSON Web Tokens (JWT)

A JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and information exchange in REST APIs, OAuth flows, and SSO systems. JWTs consist of three base64url-encoded parts: header.payload.signature.

JWT Structure

Common JWT Claims

Security note: JWT payloads are base64-encoded, not encrypted — anyone with the token can read the payload. Never store sensitive data in JWT payloads.

Can a JWT be tampered with?

The payload can be modified, but the signature will then be invalid and the server should reject it. This relies on the server properly verifying the signature. The "alg: none" attack exploited poorly implemented libraries that accepted unsigned tokens. Always verify signature, validate exp, and reject tokens with alg: none.

What is the difference between JWT and session cookies?

Session cookies store a session ID on the server and send a cookie reference to the client. JWTs are self-contained — the server doesn't need to look anything up, making JWTs stateless and scalable. The tradeoff: JWTs can't be invalidated before expiry without a token blacklist, whereas session cookies can be instantly invalidated by deleting the server-side session.