JWT Decoder

What is JSON Web Token (JWT)?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in web applications.

Structure of JWT

A JWT consists of three parts separated by periods (.), which are base64url-encoded strings:

• Header: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
• Payload: The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
• Signature: To create the signature part, you need to take the encoded header, encoded payload, a secret, and the algorithm specified in the header, then sign that with the secret. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way.

How JWT work

When a user logs in or attempts to access a protected resource, the server generates a JWT after successful authentication. The client then stores this token, usually in local storage or a cookie. For every subsequent request that requires authentication, the client sends the JWT in the request headers. The server validates the token by checking the signature and decoding the payload to ensure the user’s authenticity and authorization.

Try it yourself

Use the generator above to create secure JWKs directly in your browser. No server side processing, everything happens on your device for maximum security. You can generate RSA, EC, EdDSA, or symmetric keys with desired customization and export them in JWK format.