Question 1

What is a JWT token?

Accepted Answer

JSON Web Token (JWT) is a compact, URL-safe token format for securely transmitting information between parties. Contains three Base64-encoded parts separated by dots: header (algorithm + type), payload (claims/data), signature (verification). Used in OAuth 2.0, API authentication, single sign-on (SSO). Self-contained - no server-side session storage needed. Stateless authentication standard (RFC 7519).

Question 2

How to decode a JWT?

Accepted Answer

JWT has three parts: header.payload.signature. Decode each part separately using Base64 decoding. Header and payload are JSON objects. Signature is cryptographic verification. Example: eyJhbGc... (header) . eyJzdWI... (payload) . SflKxwRJ... (signature). Our tool automatically splits and decodes all parts. Reveals claims like user ID, expiration, issuer. Does not verify signature.

Question 3

Is JWT decoding safe?

Accepted Answer

Decoding is safe - JWTs are not encrypted by default, only Base64-encoded (publicly readable). Anyone can decode without the secret key. Decoding reveals payload data but cannot modify token. Never store sensitive data in JWT payload (visible to anyone). Use HTTPS to prevent interception. Signature verification requires secret key - use server-side validation libraries.

Question 4

What are JWT claims?

Accepted Answer

Claims are key-value pairs in JWT payload. Standard claims: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration timestamp), nbf (not before), iat (issued at), jti (JWT ID). Custom claims: roles, permissions, email. Claims are not encrypted - visible to anyone. Keep payload small (<8KB). Verify claims server-side. Expired tokens should be rejected.

Question 5

What JWT algorithms are secure?

Accepted Answer

Secure: RS256 (RSA + SHA-256, asymmetric), ES256 (ECDSA + SHA-256), PS256 (RSA-PSS). Avoid: HS256 with shared secrets in client-side apps, RS256 with weak keys (<2048 bits), none algorithm (no signature). Never accept "alg: none" tokens. Use RS256 for client apps, HS256 only for server-to-server. Verify algorithm whitelist. Key rotation recommended.

Question 6

How to verify JWT signature?

Accepted Answer

Signature verification requires the secret key (HS256) or public key (RS256). Cannot be done client-side securely. Process: decode header and payload, recreate signature using algorithm + key, compare with token signature. Use trusted libraries: jsonwebtoken (Node.js), PyJWT (Python), jose (Go). Our decoder shows signature but does not verify - use server-side validation.

Question 7

What is JWT expiration?

Accepted Answer

JWT expiration (exp claim) is Unix timestamp when token becomes invalid. Example: "exp": 1706659200 = Jan 30, 2025. Prevents token reuse after logout or compromise. Typical lifetimes: access tokens (15 min - 1 hour), refresh tokens (days - months). Expired tokens should be rejected server-side. No automatic invalidation - server must check exp claim. Use short lifetimes + refresh tokens.

Question 8

When should I use JWT?

Accepted Answer

Use JWT for: stateless API authentication, microservices communication, mobile app authentication, single sign-on (SSO), OAuth 2.0 flows. Avoid for: session management (use server-side sessions), storing sensitive data (not encrypted), long-lived tokens (use refresh tokens). Good for distributed systems, bad for centralized session control. Cannot revoke without additional infrastructure (blacklist/database).

JWT Decoder

Need Professional IT Services?

References & Citations

Key Security Terms

Base64 Encoding

JSON Web Token (JWT)

JSON (JavaScript Object Notation)

Universally Unique Identifier (UUID)

Frequently Asked Questions