JWT Decoder & Security Auditor

Decode JWT tokens, audit security with A-F grading, and generate PyJWT Python code

JWT Token

How JWT Decoding Works

A JSON Web Token (JWT) consists of three base64url-encoded parts separated by dots:header.payload.signature

Header contains the algorithm (alg) and token type (typ)
Payload contains the claims - statements about the user and additional metadata
Signature is created by signing the header and payload with a secret key

This tool decodes the header and payload (which are not encrypted, just encoded) and runs an 11-point security audit checking for common misconfigurations like missing expiration, insecure algorithms, sensitive data exposure, and excessive token lifetimes.

Frequently Asked Questions

What is a JWT token?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications. They consist of three base64url-encoded parts separated by dots: a header, a payload, and a signature.

Is it safe to decode JWTs in the browser?

Yes, decoding a JWT in the browser is safe because the header and payload are only base64url-encoded, not encrypted. Anyone with the token can read its contents. The security of a JWT comes from its signature, which prevents tampering. However, you should never put sensitive data like passwords or API keys in a JWT payload since it can be decoded by anyone.

What are the three parts of a JWT?

A JWT has three parts separated by dots: (1) the Header, which specifies the signing algorithm (e.g., HS256, RS256) and token type; (2) the Payload, which contains claims like user ID, expiration time, and issuer; and (3) the Signature, which is created by signing the header and payload with a secret key or private key to ensure the token has not been tampered with.

How do I verify a JWT signature?

JWT signature verification must be done server-side using the secret key (for HMAC algorithms like HS256) or the public key (for asymmetric algorithms like RS256). In Python, you can use the PyJWT library: jwt.decode(token, key, algorithms=["HS256"]). Never skip signature verification in production - it is the only thing preventing token forgery.

What's the difference between HS256 and RS256?

HS256 (HMAC-SHA256) uses a single shared secret key for both signing and verification, making it simpler but requiring the secret to be shared with every service that needs to verify tokens. RS256 (RSA-SHA256) uses an asymmetric key pair - a private key for signing and a public key for verification. RS256 is preferred for production systems because only the auth server needs the private key, while any service can verify tokens with the public key.

Related Tools

JSON to Pydantic

Generate Pydantic models from JSON

HTTP Status Codes

HTTP response codes

Curl to Python

Convert curl to requests, httpx, aiohttp

How JWT Decoding Works

A JSON Web Token (JWT) consists of three base64url-encoded parts separated by dots:header.payload.signature

Header contains the algorithm (alg) and token type (typ)
Payload contains the claims - statements about the user and additional metadata
Signature is created by signing the header and payload with a secret key