🔓
Security
JWT Decoder FAQ — JSON Web Tokens, Claims & Authentication
Answers about JSON Web Tokens: how JWTs work, decoding, claims, expiration, security, and authentication patterns.
Q1 What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token for transmitting claims between parties. Three Base64url-encoded parts: header.payload.signature. Standard for API authentication and SSO. Decode with the JWT Decoder.
Q2 How do I decode a JWT?
Paste the token into the JWT Decoder to see header, payload (claims, expiration), and signature. Runs in your browser — tokens never leave your device.
Q3 What are JWT claims?
Claims are key-value pairs in the payload. Standard:
iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at). Custom: role, email, permissions.
Q4 Is JWT the same as OAuth?
No. JWT is a token format. OAuth 2.0 is an authorization framework. OAuth often uses JWTs as access tokens but can use opaque tokens too.
Q5 How does JWT authentication work?
User sends credentials, server creates signed JWT, client stores it, includes in Authorization header on subsequent requests, server verifies signature and extracts claims.
Q6 Is it safe to decode a JWT?
Yes. JWT payloads are not encrypted, only Base64url-encoded. The signature ensures integrity, not confidentiality. Never put passwords in JWT payloads. The decoder reveals what is already readable.
Q7 What is the difference between HS256 and RS256?
HS256 uses a shared secret (simpler). RS256 uses public/private key pair (better for distributed systems where multiple services verify tokens).
Q8 How long should a JWT live?
Access tokens: 5-30 minutes. Refresh tokens: 7-30 days. ID tokens: 5-60 minutes. Balance security vs user experience.
Q9 What is a refresh token?
A long-lived token to obtain new access tokens without re-authentication. Should be stored securely, rotated on use, and revocable.
Q10 Can I modify a JWT?
You can modify the payload, but the signature becomes invalid. The server will reject it. This is the core security property of JWTs.
Q11 How do I check if a JWT is expired?
Decode and check the
exp claim (Unix timestamp). The JWT Decoder shows expiration clearly. Most JWT libraries check automatically.
Q12 Where should I store JWTs?
Best: httpOnly, Secure, SameSite cookies. OK: in-memory variable. Avoid: localStorage (XSS vulnerable). Mobile: use secure storage (Keychain, Keystore).
Q13 JWT vs session cookies?
JWT: stateless, self-contained, scalable. Sessions: stateful, require server-side storage, easier to revoke. JWT for microservices, sessions for traditional web apps.
Q14 How do I create a JWT in Node.js?
Use jsonwebtoken:
jwt.sign({ userId: 123 }, 'secret', { expiresIn: '15m' }). Verify: jwt.verify(token, 'secret').
Q15 How do I create a JWT in Python?
Use PyJWT:
jwt.encode({'user_id': 123, 'exp': ...}, 'secret', algorithm='HS256'). Decode: jwt.decode(token, 'secret', algorithms=['HS256']).
Q16 What is JWE?
JWE (JSON Web Encryption) encrypts the payload so it cannot be read without the key. Use when tokens carry sensitive data. JWE has 5 parts vs JWS's 3.
Q17 What is JWKS?
JWKS (JSON Web Key Set) contains public keys for verifying JWT signatures, published at a well-known URL. Enables key rotation without redeployment.
Q18 What are common JWT security mistakes?
Using none algorithm, storing secrets in code, not validating claims, storing in localStorage, not using HTTPS, overly long expiration, sensitive data in payload.
Q19 What is OpenID Connect?
OIDC is an identity layer on OAuth 2.0. Adds an ID Token (JWT with user info). Providers: Google, Auth0, Okta, Azure AD.
Q20 How do I revoke a JWT?
JWTs are stateless with no built-in revocation. Strategies: short expiration, token blacklist, token versioning, refresh token rotation.
Free Security Tools
All tools run in your browser — no signup, no data sent to servers.