正在加载,请稍候…

JWT Explained: How to Read and Validate JSON Web Tokens

Decode and inspect any JWT token. Learn about header, payload, signature, expiry, and common security mistakes.

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format for representing claims (assertions) between two parties. Defined by RFC 7519, JWTs are the standard mechanism for authentication tokens, API authorization, and secure information exchange in modern web applications.

JWT Structure

A JWT consists of three Base64URL-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzAwMDAwMDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Specifies the token type (JWT) and the signing algorithm (HS256 = HMAC-SHA256).

Payload (Claims)

{
  "sub": "user123",
  "name": "Alice",
  "email": "alice@example.com",
  "iat": 1700000000,
  "exp": 1700003600
}

Signature

Created by signing the encoded header and payload with a secret key (or private key for RS256/ES256).

Standard Claims

Reserved claim names with special meaning:

  • iss (Issuer): Who created the token
  • sub (Subject): Who the token is about (usually user ID)
  • aud (Audience): Who the token is intended for
  • exp (Expiration): When the token expires (Unix timestamp)
  • nbf (Not Before): Token is invalid before this time
  • iat (Issued At): When the token was created
  • jti (JWT ID): Unique identifier for the token

JWT Signing Algorithms

Symmetric (Shared Secret)

  • HS256/HS384/HS512: HMAC with SHA-256/384/512
  • Same key used for signing and verification
  • Simple but requires sharing the secret

Asymmetric (Public/Private Key)

  • RS256/RS384/RS512: RSA with SHA-256/384/512

  • Private key signs, public key verifies

  • Third parties can verify without the signing key

  • ES256/ES384/ES512: ECDSA (more efficient than RSA)

  • Smaller key sizes for same security level

Security Considerations

The "alg: none" Attack

Early JWT libraries accepted unsigned tokens when alg was set to "none". Always validate the algorithm header and reject unexpected algorithms.

Secret Key Strength

For HS256, use at least 256 bits of random entropy. Never use weak secrets like "secret" or "password". Use crypto.randomBytes(32) in Node.js.

Token Storage

  • localStorage: Accessible to JavaScript, vulnerable to XSS
  • HttpOnly cookies: Not accessible to JavaScript, protected from XSS, but require CSRF protection
  • Recommended: HttpOnly, Secure, SameSite=Strict cookies

Token Revocation Challenge

JWTs are stateless — servers don't track which tokens are valid. Once issued, a JWT is valid until it expires. Workarounds:

  • Short expiration times (15 minutes)
  • Token blacklist (defeats statelessness)
  • Refresh token rotation

JWTs in Authentication Flow

  1. User logs in with credentials
  2. Server validates credentials
  3. Server creates JWT signed with secret key
  4. JWT returned to client
  5. Client sends JWT in Authorization header on subsequent requests
  6. Server validates JWT signature and claims
  7. If valid, processes the request
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Using the JWT Parser Tool

Our tool:

  1. Paste any JWT — immediately decoded and displayed
  2. Shows all three parts — header, payload, and signature separately
  3. Claim interpretation — timestamps shown as human-readable dates
  4. Validation status — checks token expiration
  5. Algorithm identification — shows which signing algorithm was used
  6. Copy parts — extract header or payload as JSON

Use it for debugging authentication issues, understanding JWT contents during development, and verifying token structure and claims.