JWT Decoder & Verifier
Decode JSON Web Tokens (JWT) to view header and payload contents. Verify signatures for RSA RS*/PS*, ECDSA ES*, and HMAC HS* algorithms.
About the JWT Decoder/Generator
JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. This tool allows you to decode JWTs to inspect their header and payload, verify their signatures against a public key or secret, and generate new sample JWTs using various algorithms (HS*, RS*, ES*, PS*).
Why Use This Tool?
Developers often need to debug JWTs received from authentication systems or APIs. This tool helps in quickly understanding the token's contents (like user ID, roles, expiration time) and verifying its integrity. The generation feature is useful for testing systems that consume JWTs or for creating sample tokens for development purposes.
Example Use Cases
- Decoding an access token received from an OAuth 2.0 provider to check its claims and expiration time.
- Verifying the signature of a JWT using the provider's public key to ensure it hasn't been tampered with.
- Generating a sample HS256 JWT with a custom payload for testing an API endpoint that requires JWT authentication.
Pro Tips
- Signature Verification: Always verify the signature of a JWT before trusting its content, especially if it comes from an untrusted source. Ensure you use the correct public key (for RS*/ES*/PS*) or secret (for HS*).
- Payload Claims: Pay attention to standard claims like `iss` (issuer), `aud` (audience), `exp` (expiration time), `nbf` (not before), and `iat` (issued at). These are crucial for security and proper token lifecycle management.
- Key Security: Keep your HMAC secrets and private keys (for RSA/ECDSA/PSS) secure. Never embed private keys directly in client-side code for production use. Signature verification typically uses public keys.