How to Decode JWT Tokens
Advertisement
JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. They are widely used for authentication and information exchange.
Structure of a JWT
Advertisement
A JWT typically consists of three parts separated by dots (.):
- Header: Contains the type of token (JWT) and the signing algorithm being used (e.g., HMAC SHA256 or RSA).
- Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
- Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way.
How to Decode a JWT
Advertisement
While JWTs are Base64Url encoded, they are not encrypted (unless using JWE). This means anyone can decode the header and payload to read the contents.
Warning: Because the payload is easily readable, never put secret information (like passwords) in the payload or header elements of a JWT unless it is encrypted.
Using Our Tool
We have built a simple, secure, client-side tool to help you decode and inspect your JWT tokens. Since it runs entirely in your browser, your tokens are never sent to a server.
Manual Decoding
If you want to decode a JWT manually in JavaScript, you can split the token and decode the parts:
function parseJwt (token) {
var base64Url = token.split('.')[1];
var base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
var jsonPayload = decodeURIComponent(window.atob(base64).split('').map(function(c) {
return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
}).join(''));
return JSON.parse(jsonPayload);
}However, dealing with proper Base64 URL decoding and UTF-8 characters can be tricky. That’s why using a library like jwt-decode or our online tool is recommended.
Conclusion
Advertisement
Understanding what’s inside your JWTs is crucial for debugging authentication issues. Use our JWT Decoder to quickly inspect your tokens.
Advertisement