JWT Decoder

A JWT contains user identity and permissions in the payload — assume anyone who decodes it can see that data. This calculator runs entirely in your browser and never uploads, but if your token is sensitive, only paste it into trusted local tools. After debugging, rotate any token that was visible in shared screens or clipboards.

Some buggy JWT libraries accept tokens with <code>"alg": "none"</code> — meaning no signature is required. Attackers craft tokens with arbitrary payloads and the alg field set to none. Properly implemented servers must explicitly allowlist permitted algorithms (HS256, RS256, ES256) and reject everything else.

OWASP and most security guidelines recommend short-lived access tokens (15 minutes to 1 hour) paired with longer-lived refresh tokens (days to weeks). Short access tokens limit blast radius if a token is leaked; refresh tokens can be revoked server-side. Avoid tokens that never expire.

HS256 uses HMAC with SHA-256 and a single shared secret — both signer and verifier must possess the secret. RS256 uses RSA with SHA-256 — the signer holds a private key and verifiers use a public key. RS256 is preferred when many services need to verify tokens (microservices, third parties) without sharing secrets.

Tradeoffs: <code>localStorage</code> is convenient but vulnerable to XSS — any script on the page can read it. <code>httpOnly</code> cookies are immune to XSS but require CSRF protection. OWASP and the IETF OAuth WG generally recommend httpOnly cookies for browser apps with proper SameSite settings; SPAs sometimes use sessionStorage with careful Content Security Policy.

Use a JWT library: jsonwebtoken (Node.js), PyJWT (Python), java-jwt (Java), or jose (multi-language). Pass the token, the verification key (HMAC secret or public PEM), and an explicit algorithm allowlist. Never call <code>decode</code> without verifying — that's the most common JWT bug.

Not directly — JWTs are stateless by design. Common workarounds: maintain a server-side token blacklist of recently revoked jti values, keep tokens short-lived (15 min) so revocation requires only waiting briefly, or use opaque session tokens stored server-side instead. Logout that requires immediate revocation is incompatible with pure JWT stateless design.

jti = JWT ID. It's a unique identifier for the token, useful for replay-attack prevention and revocation lists. Add jti when (a) you need to support revocation, (b) you're issuing one-time tokens, or (c) you want to log every token issued. Skip it for short-lived stateless API tokens that don't need replay protection.