JWT Analyzer
Decode and inspect JSON Web Tokens instantly and securely.
Paste your JWT into the analyzer to decode its header and payload. Our tool works entirely in your browser, ensuring your tokens and secrets remain secure while you debug.
JWT Token Analyzer
Decode and inspect JSON Web Tokens (JWTs) client-side. Your data never leaves your browser.
This tool only decodes the token and does not verify the signature. Verifying a signature requires the secret or public key, which should never be exposed in a client-side tool.
About This Tool
The JWT Analyzer is a crucial security and debugging tool for modern web developers. JSON Web Tokens (JWTs) are the standard for creating access tokens in web applications, but they can be opaque and difficult to debug. This tool provides a simple, secure interface to decode a JWT into its human-readable parts: the Header, which contains metadata like the signing algorithm, and the Payload, which contains the claims or user data. The most critical feature of this tool is its client-side nature. All decoding happens directly in your browser using JavaScript. No tokens, secrets, or other sensitive information are ever transmitted to our servers, ensuring your application's security is never compromised. It also includes basic security checks, warning you if the token uses a weak or insecure algorithm like 'none', empowering you to build more secure authentication systems.
How to Use This Tool
- Obtain the JWT you want to analyze from your application's local storage, cookies, or an API response.
- Paste the entire JWT string into the input field.
- The tool will automatically decode the token in real-time.
- Review the Header and Payload sections to inspect the token's contents.
- Check for any security warnings related to the signing algorithm used.
In-Depth Guide
The Structure of a JWT
A JWT consists of three parts separated by dots (`.`): the Header, the Payload, and the Signature. The Header contains metadata about the token, such as the token type (`typ`) and the signing algorithm (`alg`). The Payload contains the 'claims,' which are statements about an entity (typically, the user) and additional data. The Signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
Encoding, Not Encryption
A common misconception is that JWTs are encrypted. They are not. The Header and Payload are Base64Url encoded, which is a reversible transformation. Anyone who intercepts a JWT can decode and read its contents. Therefore, you should never store any information in a JWT that you would not want a user or a potential attacker to see. The security of a JWT comes from the Signature.
The Importance of Signature Verification
The signature is the most critical part of a JWT for security. It's created by taking the encoded header, the encoded payload, a secret (for symmetric algorithms like HS256) or a private key (for asymmetric algorithms like RS256), and signing them with the algorithm specified in the header. When your server receives a JWT, it MUST verify the signature using the secret or the corresponding public key. If the signature is not valid, the token must be rejected. This tool does not and cannot verify signatures, as that would require your secret key.
Common JWT Claims
There are several registered claims that have special meaning. `iss` (Issuer): Who issued the token. `sub` (Subject): The subject of the token (e.g., the user ID). `aud` (Audience): The recipient that the token is intended for. `exp` (Expiration Time): The timestamp after which the token is invalid. `iat` (Issued At): The timestamp when the token was issued. Using these standard claims is best practice.