Question 1

What is a JWT (JSON Web Token)?

Accepted Answer

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three parts: a header, a payload, and a signature, each separated by dots. JWTs are commonly used for authentication and authorization in web applications.

Question 2

Does this tool verify JWT signatures?

Accepted Answer

No, this tool only decodes and displays the JWT contents. It does not verify the signature because that requires the secret key or public key used to sign the token. For signature verification, you need server-side validation with access to the appropriate keys.

Question 3

What do iat, exp, and nbf mean in a JWT?

Accepted Answer

These are standard JWT claims: 'iat' (Issued At) is when the token was created, 'exp' (Expiration Time) is when the token expires and should no longer be accepted, and 'nbf' (Not Before) is the time before which the token should not be accepted. All are Unix timestamps in seconds.

Question 4

Is it safe to decode JWTs in the browser?

Accepted Answer

Yes, decoding a JWT is safe because the header and payload are simply Base64-encoded, not encrypted. However, you should never expose sensitive data in JWT payloads since anyone with the token can decode it. All processing in this tool happens locally in your browser.

Question 5

Why can anyone decode a JWT?

Accepted Answer

JWTs are designed to be readable by anyone - they use Base64 encoding, not encryption. The security of a JWT comes from its signature, which proves the token hasn't been tampered with and was issued by a trusted source. Sensitive data should never be stored in JWT payloads.

JWT Decoder

About JWT Decoder

Frequently Asked Questions

Related Tools