Question 1

What is a JWT (JSON Web Token)?

Accepted Answer

A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: a header (algorithm and type), a payload (claims), and a signature. JWTs are commonly used for authentication, authorization, and information exchange in modern web applications.

Question 2

Is it safe to decode JWTs online?

Accepted Answer

Our JWT Debugger processes everything client-side in your browser. Your tokens are never sent to any server, making it completely safe to use. However, never share your production tokens publicly, as payloads may contain sensitive information.

Question 3

What are JWT claims?

Accepted Answer

JWT claims are statements about the token subject. Registered claims include 'iss' (issuer), 'sub' (subject), 'aud' (audience), 'exp' (expiration), 'iat' (issued at), and 'nbf' (not before). Custom claims can include any application-specific data.

Question 4

How do I verify a JWT signature?

Accepted Answer

JWT signatures are verified using the algorithm specified in the header (e.g., HS256, RS256). This decoder shows the signature but doesn't verify it—you need the secret key or public key for verification. Never expose your secret keys.

Question 5

Why is my JWT showing as expired?

Accepted Answer

JWTs have an 'exp' (expiration) claim that specifies when the token expires. If the current time is past this timestamp, the token is considered expired. You'll need to obtain a new token from your authentication provider.

Question 6

What's the difference between HS256 and RS256?

Accepted Answer

HS256 uses a symmetric secret key for both signing and verification. RS256 uses asymmetric cryptography with a private key for signing and a public key for verification. RS256 is preferred for distributed systems where the verification key needs to be shared.

JWT Decoder & Debugger

Instant Decoding

Token Analysis

100% Secure