Merakesh

JWT Decoder & Inspector

A secure browser-based tool for decoding JSON Web Tokens. Inspect headers and payloads with confidence—your tokens never leave your device.

100% Client-Side
Header & Payload Analysis
Export JSON

Input Token

Header

Algorithm and token type information

Decoded header will appear here...

Payload

Claims and user data

Decoded payload will appear here...

Frequently Asked Questions

About JSON Web Tokens

JSON Web Tokens (JWT) are an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in web development.

Token Structure

A JWT consists of three parts separated by dots:

  1. Header - Contains the algorithm used and token type
  2. Payload - Contains the claims (data)
  3. Signature - Used to verify the token (not decoded by this tool)

Common Claims

Reserved Claims:

  • iss: Issuer - identifies the principal that issued the JWT
  • sub: Subject - identifies the subject of the JWT
  • aud: Audience - identifies the recipients the JWT is intended for
  • exp: Expiration Time - identifies the time after which the JWT is no longer valid

Other Common Claims:

  • iat: Issued At - identifies the time at which the JWT was issued
  • nbf: Not Before - identifies the time before which the JWT must not be accepted
  • jti: JWT ID - provides a unique identifier for the JWT
  • name: Full Name - a common custom claim for the user's full name

Common Use Cases for JWTs

Authentication: After a user signs in, the server issues a JWT that can be used to identify the user for subsequent requests, eliminating the need to query the database for user information on each request.

Information Exchange: JWTs can securely transmit information between parties, with the signature ensuring the data hasn't been tampered with.

Authorization: JWTs can contain user roles and permissions that services can use to determine access rights.

JWT Security Best Practices

  • Use HTTPS to prevent token interception during transmission
  • Keep tokens short-lived and implement token refresh mechanisms
  • Store tokens securely (HTTP-only cookies for web applications)
  • Validate tokens on the server side before trusting their contents
  • Include only necessary data in the payload to minimize token size

Security Notice:

This tool only decodes JWTs, it doesn't validate signatures or verify tokens. For security-critical applications, always verify tokens server-side with proper cryptographic validation.