← All Tools

🔓 JWT Decoder

Decode and analyze JSON Web Tokens for security issues and debugging.

JWT Reference

Common Claims

  • iss - Issuer
  • sub - Subject
  • aud - Audience
  • exp - Expiration Time
  • nbf - Not Before
  • iat - Issued At
  • jti - JWT ID

Algorithms

  • HS256 - HMAC SHA-256
  • HS384 - HMAC SHA-384
  • HS512 - HMAC SHA-512
  • RS256 - RSA SHA-256
  • RS384 - RSA SHA-384
  • RS512 - RSA SHA-512
  • ES256 - ECDSA SHA-256

Security Best Practices

  • Always verify signatures server-side
  • Use strong algorithms (RS256, ES256)
  • Set appropriate expiration times
  • Validate all claims
  • Never store sensitive data in JWTs
  • Use HTTPS for token transmission

Common Vulnerabilities

  • alg: none - Algorithm bypass
  • Weak secrets for HMAC
  • Missing expiration validation
  • Improper audience validation
  • Key confusion attacks
  • Token leakage in logs/URLs