JWT Parser

About JWT Token Parsing

JSON Web Tokens (JWT) are compact, URL-safe tokens that represent claims between parties. They consist of three Base64-encoded parts separated by dots: header, payload, and signature. JWT parsing allows developers to examine token contents, validate structure, verify expiration, and debug authentication issues in web applications and APIs.

Decode JWT headers to see algorithm and token type
Extract payload claims including user data and permissions
Analyze token expiration and issued dates
Validate token structure and format
Debug authentication and authorization issues

JWT Token Structure

Token Components

Header: Algorithm and token type
Payload: Claims and user data
Signature: Verification hash
Format: header.payload.signature
Encoding: Base64URL for each part
Separator: Dot (.) between components

Common Claims

iss: Issuer (who created the token)
sub: Subject (user identifier)
aud: Audience (intended recipient)
exp: Expiration time (Unix timestamp)
iat: Issued at time
nbf: Not before time

Frequently Asked Questions

How to parse json web token?

To parse a JSON Web Token, split the token string by the dot (.) separator into three parts: header, payload, and signature. Then Base64URL-decode the header and payload sections to reveal the JSON data inside. utilAZ provides a free online JWT parser that instantly decodes and displays all token components with formatted output.

What is jwt parser used for?

A JWT parser is used to decode and inspect the contents of JSON Web Tokens during development and debugging. It helps developers view the header algorithm, extract payload claims like user ID and expiration time, and validate token structure. This is essential when troubleshooting authentication flows, OAuth2 integrations, and API authorization issues.

How to decode jwt in javascript?

In JavaScript, you can decode a JWT by splitting the token on dots and using atob() or Buffer.from() to Base64-decode the header and payload parts. For example: JSON.parse(atob(token.split('.')[1])) extracts the payload. For Node.js, libraries like jsonwebtoken or jose provide full parsing and verification capabilities.

Is online jwt parser safe?

An online JWT parser is safe for development tokens because it only decodes the Base64-encoded content without needing the secret key. The utilAZ JWT parser processes tokens entirely in your browser, so no data is sent to any server. However, avoid pasting production tokens containing sensitive user data into any online tool.

How to verify jwt signature after parsing?

To verify a JWT signature, you need the signing key (shared secret for HS256 or public key for RS256/ES256). Recreate the signature by hashing the header and payload with the key using the algorithm specified in the header, then compare it to the token signature. Libraries like jsonwebtoken (Node.js) or PyJWT (Python) handle this verification automatically.

JWT Token Examples

Sample JWT Analysis:

Raw JWT Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Decoded:

{

"alg": "HS256",

"typ": "JWT"

}

Payload:

eyJzdWIiOiIxMjM0NTY3ODkw...

Decoded:

{

"sub": "1234567890",

"name": "John Doe",

"iat": 1516239022

}

Signature:

SflKxwRJSMeKKF2QT4...

Status:

⚠️ Verification requires secret

Algorithm: HS256

Token Analysis:

Algorithm: HMAC SHA-256

Type: JWT

Subject: 1234567890

Name: John Doe

Issued At: 2018-01-18 01:30:22 UTC

Status: Expired

Valid For: Not specified

Signature: Not verified

JWT Signing Algorithms

Symmetric Algorithms:

HS256: HMAC with SHA-256 (most common)

HS384: HMAC with SHA-384

HS512: HMAC with SHA-512

Uses shared secret key for signing and verification. Same key used by issuer and verifier.

Asymmetric Algorithms:

RS256: RSA with SHA-256

RS384: RSA with SHA-384

RS512: RSA with SHA-512

ES256: ECDSA with SHA-256

ES384: ECDSA with SHA-384

ES512: ECDSA with SHA-512

Uses private key for signing, public key for verification. More secure for distributed systems.

JWT Security Best Practices

Security Guidelines:

✓ Short expiration: Use short-lived tokens

✓ HTTPS only: Always transmit over secure connections

✓ Validate claims: Check iss, aud, exp claims

✓ Strong secrets: Use cryptographically secure keys

✓ Algorithm validation: Verify expected algorithm

✓ Secure storage: Store tokens securely on client

Common Vulnerabilities:

None Algorithm: Bypass signature verification

Key Confusion: HS256 vs RS256 attacks

Weak Secrets: Brute force attacks

Token Replay: Reuse of valid tokens

XSS Storage: Tokens in localStorage

CSRF Attacks: Missing CSRF protection

Standard JWT Claims

Reserved Claims:

iss (Issuer): Token issuer identifier

sub (Subject): Token subject (user ID)

aud (Audience): Intended token recipient

exp (Expiration): Token expiration time

nbf (Not Before): Token valid from time

iat (Issued At): Token creation time

jti (JWT ID): Unique token identifier

Custom Claims Examples:

name: User's full name

email: User's email address

roles: User permissions/roles array

scope: OAuth scopes

tenant: Multi-tenant identifier

preferences: User settings object

session_id: Session identifier

Common Use Cases

Debugging authentication issues
Analyzing token expiration problems
Inspecting user claims and permissions
Validating token structure and format
API integration testing
Understanding OAuth token contents
Troubleshooting SSO implementations
Learning JWT structure and claims