About the JWT Decode / Encode tool
A JWT Decode / Encode tool is an online utility that helps you decode, view, and verify JSON Web Tokens (JWTs) or encode data into a JWT format. It is primarily used by developers and security professionals to work with tokens for authentication, secure data transmission, and API communication.
The tool takes a JWT string as input, decodes its base64-encoded header, payload, and signature, and displays them in a readable format. For encoding, you provide the header, payload, and secret key, and the tool generates a valid JWT.
Yes, we do not store your input.
When you decode a JWT, you can view:
Header: Specifies the algorithm and token type.
Payload: Contains claims (user data or application-specific information).
Signature: Ensures token integrity and authenticity.
Yes, our JWT tool allows you to modify the header and payload and then re-encode the token. Ensure you have the appropriate secret key to generate a valid signature for secure token usage.
No, decoding only makes the token readable but does not verify its authenticity. Verification requires checking the token’s signature using the appropriate secret or public key.
Common algorithms include:
HS256 (HMAC with SHA-256)
RS256 (RSA with SHA-256)
ES256 (ECDSA with SHA-256)
An “Invalid Signature” JWT error occurs when the secret or key used for verification does not match the one used to sign the token, the token has been tampered with, or the token’s signature algorithm is unsupported or incorrectly implemented.
Yes, the tool supports encoding, therefore you can create JWTs by specifying a header, payload, and secret key. However, always adhere to your security policies when using generated tokens.
People usually use this tool for debugging and testing JWTs in development, learning JWT structure and functionality, verifying the integrity and authenticity of tokens, and generating JWTs for API testing.
You can save and download this page in your browser for offline usage.
Yes, JWTs are widely used in OAuth and OpenID Connect for access tokens and ID tokens. The tool can help decode, verify, and debug these tokens.
Please avoid sharing sensitive keys or tokens unless necessary, make sure you’re using a secure HTTPS connections, verify token claims and expiration dates for validity, and regularly update your knowledge about JWT security to prevent vulnerabilities.
Example JSON Web Token (JWT) and JSON
JWT Example File
Here’s an example JWT token you can use to test the decoder:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyMzk5MjIsImVtYWlsIjoiam9obkBleGFtcGxlLmNvbSIsInJvbGUiOiJ1c2VyIn0.ae42f5636683f4b23533c147cea1b0ba5c966226b59514d38431069c1f330357When decoded, this token contains:
Header:
{
"alg": "HS256",
"typ": "JWT"
}Payload:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516239922,
"email": "john@example.com",
"role": "user"
}You can paste this token into the decoder to see it in action.
JSON Example
Here’s an example JSON payload you can use to test the encoder:
{
"userId": "abc123",
"username": "alice_smith",
"permissions": ["read", "write"],
"isAdmin": false,
"createdAt": "2024-01-04T12:00:00Z",
"metadata": {
"lastLogin": "2024-01-03T15:30:00Z",
"loginCount": 42,
"deviceType": "mobile"
}
}You can paste this JSON into the encoder input field. When encoded, it will automatically:
- Add a default header with
{"alg": "HS256", "typ": "JWT"} - Convert your JSON payload into base64url format
- Add a dummy signature (since this is just for demonstration purposes)