CalKit

JWT Decoder

Decode JWT tokens.

Overview

Decode JWT (JSON Web Tokens) to inspect header, payload, and signature information. Useful for debugging authentication tokens, checking expiration times, and validating claims.

Formula

JWT structure: Consists of three dot-separated parts in the format Header.Payload.Signature. Header and Payload are JSON encoded as Base64URL. Decoding process: Split by dots into 3 parts → Base64URL decode each part → Parse Header/Payload as JSON for display. Signature verification (HMAC-SHA256): Compare HMAC(base64url(header) + '.' + base64url(payload), secret) with the Signature.

How to Use

  1. 1Enter the JWT token string.
  2. 2Review the decoded header (algorithm, type, etc.).
  3. 3Review the decoded payload (claims: sub, iat, exp, etc.).
  4. 4Check if the expiration time (exp) is still valid.

Tips

  • JWT payloads are encoded, not encrypted. Never put sensitive information in the payload.
  • The exp (expiration) claim is expressed as a Unix timestamp in seconds.
  • Use standard claims like iat (issued at), nbf (not before), iss (issuer), and aud (audience).
  • Checking the payload without verifying the signature is not a security validation.
  • Minimize the payload to avoid hitting HTTP header size limits as token size grows.

FAQ

Q. What is JWT and why is it used?

JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It is primarily used for authentication (login) and information exchange in web applications. Since the server does not need to store state (stateless), it offers good scalability.

Q. What happens if a JWT is stolen?

If a JWT is stolen, an attacker can authenticate with that token until it expires. Countermeasures include short expiration times, HTTPS, HttpOnly cookie storage, refresh tokens, and token blacklists.

Q. What is the difference between HS256 and RS256?

HS256 (HMAC-SHA256) uses a symmetric key, so the same secret key is used for signing and verification. RS256 (RSA-SHA256) uses asymmetric keys, signing with a private key and verifying with a public key. RS256 is more secure in microservice environments since only the public key needs to be distributed.

Related Calculators

Color Converter

Convert between HEX, RGB, and HSL color codes.

Unix Timestamp Converter

Convert between Unix timestamps and dates/times.

Base64 Encoder/Decoder

Encode and decode text in Base64 format.

JSON Formatter

Format or minify JSON data for readability.

URL Encoder/Decoder

Encode and decode URL strings.

Hash Generator

Generate MD5, SHA-1, SHA-256 hash values.