OmniDev_

~/tools/jwt-decoder

JWT Decoder

Decode Header, Payload, and Signature. Live expiry countdown and HMAC signature verification — all in your browser, zero server calls.

// How to use
1. Paste JWT token into the input
2. Header, Payload, Signature decoded
3. Check live expiry on exp claim
4. Enter secret + Verify for HS256
* all processing done in browser
// Standard Claims
iss Issuer    sub Subject
aud Audience  jti JWT ID
exp Expiry    iat Issued At
nbf Not Before
* highlighted in payload section
100% client-side — no data leaves your browser
jwt — decoder
JWT TOKEN
Paste a JWT token above to inspect its contents

What is a JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. JWTs are widely used for authentication and authorization in modern web applications — particularly in REST APIs and Single Page Apps (SPAs). After a user logs in, the server issues a JWT that the client sends with every subsequent request to prove identity.

A JWT looks like three Base64URL-encoded strings separated by dots: xxxxx.yyyyy.zzzzz

Three-Part Structure

Every JWT is made up of exactly three parts separated by dots. This structure is not arbitrary — each part serves a distinct security purpose. Understanding what belongs in each section, and crucially what should never be placed there, is the foundation of using JWTs safely in production. A common misconception is that Base64-encoding the payload provides some protection; it does not — the payload is trivially decodable by anyone who holds the token.

Header

Contains metadata about the token — the algorithm used to sign it (alg) and the token type (typ). Common algorithms: HS256, RS256, ES256.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The claims — statements about the user and any additional data. Contains registered claims (exp, iat, sub) and custom application data.

{
  "sub": "user_123",
  "name": "Alice",
  "exp": 1893456000
}

Signature

Created by signing the encoded header and payload with a secret key (HMAC) or private key (RSA/ECDSA). Verifies the token has not been tampered with.

HMACSHA256(
  base64(header) +
  "." +
  base64(payload),
  secret
)

Standard Claims (Registered)

The JWT specification defines a set of reserved claim names with well-known meanings across all JWT libraries and services. Using these standard claims — rather than inventing your own field names — ensures interoperability with any framework that validates tokens. Of these, exp is the most critical: a token without an expiry can never be invalidated short of rotating your entire signing secret, which is a serious operational problem in production systems.

iss

Issuer

Identifies the party that issued the JWT. Usually the authentication server URL.

sub

Subject

Identifies the principal — typically a user ID or account identifier.

aud

Audience

Identifies the recipients the JWT is intended for. The API or service that should accept it.

exp

Expiration Time

UNIX timestamp after which the token must not be accepted. Always validate this claim.

iat

Issued At

UNIX timestamp when the token was issued. Used to determine the token's age.

nbf

Not Before

UNIX timestamp before which the token must not be accepted. Useful for future-dated tokens.

jti

JWT ID

Unique identifier for the JWT. Can be used to prevent replay attacks.

Signing Algorithms

The algorithm you choose determines who can verify the token and what key material is required. Symmetric algorithms like HS256 use the same secret for both signing and verification — simple and fast, but every service that needs to validate tokens must share that secret. Asymmetric algorithms like RS256 and ES256 split this responsibility: only the issuer holds the private key, while any downstream service can verify tokens using only the public key, without ever having access to the signing secret.

HS256 / HS384 / HS512

HMAC + SHA-2

Symmetric — same secret key signs and verifies. Fast and simple. Secret must be kept private on the server.

RS256 / RS384 / RS512

RSA + SHA-2

Asymmetric — private key signs, public key verifies. Clients can verify tokens without knowing the secret.

ES256 / ES384 / ES512

ECDSA + SHA-2

Asymmetric — like RS but using elliptic curves. Produces shorter signatures with equivalent security.

PS256 / PS384 / PS512

RSA-PSS + SHA-2

Asymmetric — RSA with probabilistic signature scheme. More secure than RS variants against certain attacks.

Security Considerations

JWTs are widely misused from a security perspective. Because decoding a token is trivial — it's just Base64 — developers sometimes assume the encoding provides confidentiality. It does not. The security of a JWT comes entirely from its signature, and only if the server validates that signature correctly on every single request. Skipping even one validation step opens the door to token forgery, privilege escalation, and session hijacking. These are the vulnerabilities that come up most often in real-world security audits and bug bounty reports.

// Security Warnings
! alg:none — tokens with no algorithm are unsigned and must always be rejected
! Weak secrets — HS256 secrets shorter than 32 bytes are brute-forceable
! Algorithm confusion — always validate the algorithm server-side; never trust the header alone
! JWT payload is only Base64-encoded, not encrypted — never store sensitive data in claims
! Always validate exp, iss, and aud claims server-side on every request
! Use short expiry times (15–60 min) and refresh token rotation for long sessions
* This inspector decodes for inspection only — always verify tokens server-side in production