JWT Encoder/Decoder/Verifier
Decode JWT tokens, inspect header and payload, and verify signatures
About JWT Algorithms
Symmetric algorithm using a shared secret key. Same key for signing and verification. Fast and simple, suitable for server-to-server communication.
Asymmetric algorithm using private key for signing and public key for verification. More secure for distributed systems where multiple parties verify tokens.
Asymmetric algorithm using elliptic curve cryptography. Smaller key sizes than RSA with equivalent security. ES256 is widely used in modern systems.
About JWT Encoder/Decoder/Verifier
JWT (JSON Web Token) is a compact, URL-safe means of representing claims between two parties. JWTs consist of three Base64URL-encoded parts: Header (algorithm and token type), Payload (claims/data), and Signature (verification). This tool helps you decode and inspect JWT tokens, understand their structure, and provides guidance on signature verification.
Frequently Asked Questions
What are the three parts of a JWT?
JWTs have three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification). The first two are Base64URL-encoded JSON, the signature uses the specified algorithm (HMAC, RSA, etc.) to ensure integrity.
Can I decode JWT without the secret key?
Yes, you can decode and read the Header and Payload without the secret - they're just Base64URL encoded. However, you need the secret to verify the signature and ensure the token hasn't been tampered with. Never store sensitive data in JWT payloads.
What's the difference between HS256 and RS256 algorithms?
HS256 (HMAC with SHA256) uses a symmetric secret key - the same key signs and verifies. RS256 (RSA with SHA256) uses asymmetric keys - a private key signs, a public key verifies. RS256 is more secure for distributed systems where multiple parties verify tokens.
Why does my JWT verification fail?
Common causes: wrong secret key, clock skew (exp/nbf/iat claims), token expired, algorithm mismatch, or tampered token. This tool shows detailed error messages to help diagnose. Ensure your secret matches exactly and check timestamp claims.