Testing Environment: Our tools are currently under heavy testing. You may experience slower performance or temporary issues.

Report Issues
utilAZ Logo
🔍

JWT Parser

Parse, decode, and validate JSON Web Tokens (JWT) with header, payload, and signature analysis

JWT Token Parser

Characters: 0

Example JWT Tokens

🔒 Symmetric Algorithms

HS256: HMAC SHA-256 (most common)
HS384: HMAC SHA-384
HS512: HMAC SHA-512
Use case: Single application systems
Security: Shared secret required

🔐 Asymmetric Algorithms

RS256: RSA SHA-256
ES256: ECDSA SHA-256
PS256: RSA-PSS SHA-256
Use case: Distributed systems
Security: Public/private key pairs

About JWT Token Parsing

JSON Web Tokens (JWT) are compact, URL-safe tokens that represent claims between parties. They consist of three Base64-encoded parts separated by dots: header, payload, and signature. JWT parsing allows developers to examine token contents, validate structure, verify expiration, and debug authentication issues in web applications and APIs.

  • Decode JWT headers to see algorithm and token type
  • Extract payload claims including user data and permissions
  • Analyze token expiration and issued dates
  • Validate token structure and format
  • Debug authentication and authorization issues

JWT Token Structure

Token Components

  • Header: Algorithm and token type
  • Payload: Claims and user data
  • Signature: Verification hash
  • Format: header.payload.signature
  • Encoding: Base64URL for each part
  • Separator: Dot (.) between components

Common Claims

  • iss: Issuer (who created the token)
  • sub: Subject (user identifier)
  • aud: Audience (intended recipient)
  • exp: Expiration time (Unix timestamp)
  • iat: Issued at time
  • nbf: Not before time

Advertisement

AdSense Banner Ad Placeholder

Frequently Asked Questions

Is it safe to decode JWTs on client-side tools?

JWT parsing only decodes the Base64-encoded content and doesn't require the secret key. The header and payload are not encrypted, only signed. However, avoid pasting sensitive tokens into online tools. Use this parser for development and debugging, not production tokens with sensitive data.

What's the difference between decoding and verifying a JWT?

Decoding reads the token content without validation. Verification checks the signature using the secret key to ensure the token hasn't been tampered with. Our parser decodes tokens to show content but cannot verify signatures without the secret key, which should never be shared.

How can I tell if a JWT is expired?

Check the "exp" claim in the payload, which contains a Unix timestamp. If the current time is greater than this timestamp, the token is expired. Our parser automatically shows expiration status and converts timestamps to readable dates for easy verification.

What algorithms are commonly used for JWT signing?

Common algorithms include HS256 (HMAC SHA-256) for symmetric signing, RS256 (RSA SHA-256) for asymmetric signing, and ES256 (ECDSA SHA-256). The algorithm is specified in the token header. HS256 uses shared secrets while RS256 uses public/private key pairs.

JWT Token Examples

Sample JWT Analysis:

Raw JWT Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Decoded:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
eyJzdWIiOiIxMjM0NTY3ODkw...
Decoded:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
Signature:
SflKxwRJSMeKKF2QT4...
Status:
⚠️ Verification requires secret
Algorithm: HS256
Token Analysis:
Algorithm: HMAC SHA-256
Type: JWT
Subject: 1234567890
Name: John Doe
Issued At: 2018-01-18 01:30:22 UTC
Status: Expired
Valid For: Not specified
Signature: Not verified

Sponsored Content

AdSense Square Ad Placeholder

JWT Signing Algorithms

Symmetric Algorithms:

HS256: HMAC with SHA-256 (most common)
HS384: HMAC with SHA-384
HS512: HMAC with SHA-512
Uses shared secret key for signing and verification. Same key used by issuer and verifier.

Asymmetric Algorithms:

RS256: RSA with SHA-256
RS384: RSA with SHA-384
RS512: RSA with SHA-512
ES256: ECDSA with SHA-256
ES384: ECDSA with SHA-384
ES512: ECDSA with SHA-512
Uses private key for signing, public key for verification. More secure for distributed systems.

JWT Security Best Practices

Security Guidelines:

✓ Short expiration: Use short-lived tokens
✓ HTTPS only: Always transmit over secure connections
✓ Validate claims: Check iss, aud, exp claims
✓ Strong secrets: Use cryptographically secure keys
✓ Algorithm validation: Verify expected algorithm
✓ Secure storage: Store tokens securely on client

Common Vulnerabilities:

None Algorithm: Bypass signature verification
Key Confusion: HS256 vs RS256 attacks
Weak Secrets: Brute force attacks
Token Replay: Reuse of valid tokens
XSS Storage: Tokens in localStorage
CSRF Attacks: Missing CSRF protection

Standard JWT Claims

Reserved Claims:

iss (Issuer): Token issuer identifier
sub (Subject): Token subject (user ID)
aud (Audience): Intended token recipient
exp (Expiration): Token expiration time
nbf (Not Before): Token valid from time
iat (Issued At): Token creation time
jti (JWT ID): Unique token identifier

Custom Claims Examples:

name: User's full name
email: User's email address
roles: User permissions/roles array
scope: OAuth scopes
tenant: Multi-tenant identifier
preferences: User settings object
session_id: Session identifier

Common Use Cases

  • Debugging authentication issues
  • Analyzing token expiration problems
  • Inspecting user claims and permissions
  • Validating token structure and format
  • API integration testing
  • Understanding OAuth token contents
  • Troubleshooting SSO implementations
  • Learning JWT structure and claims

Advertisement

AdSense Bottom Ad Placeholder