Learn how to decode and verify JWTs with precision. Master the header, payload and signature anatomy, avoid common security pitfalls like 'alg: none' and build robust API authentication.
You receive a 401 Unauthorized error from an API and have no idea why. You need to check if the token your client is sending has expired, contains the right "Claims" or is targeting the correct "Audience." But the token is an opaque string of Base64 characters that reveals nothing at a glance.
JSON Web Tokens (JWTs) are the DNA of modern authentication. They power your Google searches, your GitHub commits and your Slack messages. But if you don't understand how to "Read" them, they are just walls of garbled text.
Our JWT Decoder is designed to decode these tokens instantly in your browser. In this guide, we dive deep into the RFC 7519 standard, the math of the signature and the security vulnerabilities that can sink an entire application.
1. Anatomy: The Three-Part Structure
A JWT consists of three Base64url-encoded sections separated by dots (Header.Payload.Signature).
The Header (The Metadata)
The header tells the server how to treat the token. It usually contains the "Type" (JWT) and the "Algorithm" used for signing (like HS256 or RS256).
The Payload (The Data)
This is the heart of the token. It contains "Claims" - tiny statements about the user. Common claims include the user ID (sub), the issuer (iss) and the expiration time (exp). This is where the actual "Identity" of the user lives.
The Signature (The Security)
The signature is the "Wax Seal" on the envelope. It is created by taking the header and payload, salt-ing them with a secret key and hashing the result. If a hacker changes a single character in the payload, the signature will no longer match and the server will reject the token.
2. Standard Claims: Speaking the Same Language
To make JWTs work across different systems (like logging in with "Sign in with Google"), developers use "Registered Claims." These are three-letter codes defined by the internet standard.
iss(Issuer): Who created the token? (e.g.,auth.your-app.com).sub(Subject): Who is this token for? (Usually a unique User ID).aud(Audience): Which API is this token allowed to talk to?exp(Expiration): The exact second the token dies.
Pro Tip: The exp claim is a Unix timestamp. If you see 1708892400 in your decoded payload, paste it into our Unix Time Calculator to see exactly when your user's session will expire.
3. Symmetric vs. Asymmetric: The "Key" Choice
How do you sign a token? There are two main ways:
HS256 (Symmetric)
Both the server that Issues the token and the server that Verifies the token share the same secret. This is fast and simple, but if that secret leaks, your entire security system is compromised.
RS256 (Asymmetric)
This uses a "Key Pair." The authentication server has a Private Key (to sign) and every other service has a Public Key (to verify). This is the gold standard for microservices because individual services can verify tokens without ever knowing the secret used to create them.
4. Security: The "alg: none" Vulnerability
One of the most famous JWT attacks involves the "alg" header. In the early days, some servers would accept a token where the algorithm was set to none.
A hacker could take a token, change their user role to admin, set the algorithm to none and remove the signature. If the server wasn't configured correctly, it would see "No signature required" and grant admin access.
The Fix: Always explicitly define which algorithms your server allows. Use our JWT Decoder to inspect the headers of your incoming tokens and ensure they match your security policy.
5. JWT versus Sessions: Why the Web Shifted
In the "Old Web," servers stored a "Session ID" in a database. For every request, the server had to query the database to know who the user was.
JWTs are "Stateless." Because the data is inside the token, the server doesn't need to check a database. It just checks the signature. This makes scaling much easier - you can have 100 servers and none of them need to talk to a shared session database. They just need to know your "Public Key."
6. The "Refresh Token" Strategy
JWTs should be Short-Lived (usually 5 to 15 minutes). If a hacker steals an active JWT, they can act as the user until it expires.
To keep the user logged in without forcing them to re-enter their password every 15 minutes, we use a Refresh Token. This is a long-lived secret stored in a "Secure, HttpOnly" cookie. When the short-lived JWT expires, the app sends the Refresh Token to get a new JWT. This balances security with a smooth user experience.
7. Where to Store Your JWT?
This is a religious war in web development.
- LocalStorage: Easy to use, but vulnerable to XSS (Cross-Site Scripting). If a malicious script runs on your site, it can steal the token.
- HttpOnly Cookies: Invisible to JavaScript, meaning XSS cannot steal them. This is generally the more secure choice for sensitive applications.
8. Analyzing "OpenID Connect" (OIDC)
When you see "Sign in with Google," you are using OIDC. It is a layer on top of OAuth 2.0 that uses JWTs to pass user profile info (name, email, picture) safely.
If you are wondering why your OIDC integration is failing, paste the id_token into our JWT Decoder. You will likely find a missing "Scope" or a mismatched "Client ID" in the audience claim.
9. Performance: The Size Factor
Unlike a small random session ID, JWTs carry data. If you put too many custom claims in your token (user preferences, full profile, settings), your HTTP headers will become bloated. This can slow down your site and even hit server "Header Size" limits.
Keep your payloads lean. Only include the essential data needed for authorization.
10. Conclusion: Trust the Logic, Verify the Token
JWTs have revolutionized how we handle identity on the web. They are portable, secure and scalable - but only if you understand the rules.
Whether you are building a new API or debugging a legacy system, clarity is your best defense. Decode your tokens, verify your claims and never trust a signature you haven't checked.
Inspect your tokens with precision. Use the JWT Encoder/Decoder.
