Understanding How JWT Decode Works

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in web development.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The Three Parts of a JWT

1. Header

The header typically consists of two parts:

  • The type of token (JWT)
  • The signing algorithm being used (e.g., HMAC SHA256 or RSA)
{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims:

  • Registered claims: Predefined claims such as iss (issuer), exp (expiration time), sub (subject), aud (audience)
  • Public claims: Claims defined at will by those using JWTs
  • Private claims: Custom claims created to share information between parties
{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1516239022
}

3. Signature

The signature is used to verify that the message wasn't changed along the way. To create the signature, you must take the encoded header, the encoded payload, a secret, and the algorithm specified in the header, and sign that.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

The Decoding Process

When our decoder receives a JWT, it performs the following steps:

  1. Split the Token: The JWT is split into its three components at the dots
  2. Base64URL Decode: Each part is decoded from Base64URL encoding
  3. Parse JSON: The decoded header and payload are parsed as JSON
  4. Validation (Optional): If a secret key is provided, the signature can be validated

Security Considerations

When working with JWTs, keep these security considerations in mind:

  • Never store sensitive information in the JWT payload as it can be decoded by anyone
  • Always use HTTPS to transmit JWTs
  • Set appropriate expiration times for your tokens
  • Use strong secrets or keys for signing tokens
  • Validate all claims according to your application's requirements

Common Use Cases

1. Authentication

The most common use case for JWTs is authentication. Once a user logs in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.

2. Information Exchange

JWTs can be used to securely transmit information between parties. Because JWTs can be signed, you can be sure the senders are who they say they are and that the content hasn't been tampered with.

3. Authorization

Once a user is logged in, an application can use JWT to manage authorization, controlling what actions the user can perform based on claims in the token.

Best Practices for Implementation

  • Token Storage: Store tokens securely using httpOnly cookies or secure local storage
  • Token Size: Keep tokens small to minimize bandwidth impact
  • Error Handling: Implement proper error handling for token validation failures
  • Token Refresh: Implement a token refresh mechanism for long-lived sessions
  • Monitoring: Log and monitor JWT usage for security and debugging

Ready to Try JWT Decode?

Use our free online JWT decoder to analyze and validate your tokens.

Try JWT Decoder Now