JWT ডিকোডার
JSON Web Token ডিকোড ও পরীক্ষা করুন
JWT টোকেন
What Is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It encodes a set of claims as a JSON object, then signs — and optionally encrypts — it so the recipient can verify the data has not been tampered with. JWTs are the de facto standard for stateless authentication in REST APIs, single-sign-on systems, and microservice authorization.
JWT Anatomy: Header · Payload · Signature
Every JWT is three base64url-encoded segments separated by dots. The header and payload are plain JSON — readable by anyone — while the signature is a cryptographic value that can only be verified with the correct key.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwibmFtZSI6IkFsaWNlIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzE3MjAwMDAwLCJleHAiOjE3MTcyMDM2MDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "user123",
"name": "Alice",
"role": "admin",
"iat": 1717200000,
"exp": 1717203600
}Why Use a JWT Decoder?
Raw JWTs look like random text. This tool instantly renders the header and payload as formatted JSON so you can inspect claims, check expiration times, and audit algorithm choices without writing a single line of code.
Standard JWT Claims Reference
RFC 7519 defines seven registered claim names. These are not required, but their use is strongly recommended for interoperability. You can add any custom claims to the payload.
| Claim | Description | Type |
|---|---|---|
| iss | Issuer — Identifies who issued the token — e.g. your auth server URL or application name. | string |
| sub | Subject — Identifies the principal the JWT is about — typically a user ID or service account. | string |
| aud | Audience — Identifies the intended recipients. The receiving party must verify this matches their identifier. | string | string[] |
| exp | Expiration Time — Unix timestamp after which the token must not be accepted. Always set this to limit damage from a stolen token. | number |
| nbf | Not Before — Unix timestamp before which the token must not be accepted. Useful for scheduling future-dated tokens. | number |
| iat | Issued At — Unix timestamp at which the token was issued. Used to calculate token age. | number |
| jti | JWT ID — A unique identifier for the token. Enables revocation by storing and checking used JTI values server-side. | string |
JWT Signing Algorithms
The alg header claim declares which algorithm signed the token. The choice affects security, performance, and whether third-party services can verify tokens without the private key.
| Algorithm | Family | Key type | Notes |
|---|---|---|---|
| HS256 | HMAC | Symmetric | Most common. Shared secret — anyone with the secret can both sign and verify. |
| HS384 | HMAC | Symmetric | Stronger HMAC variant; moderate performance cost. |
| HS512 | HMAC | Symmetric | Strongest HMAC variant. |
| RS256 | RSA | Asymmetric | Most widely used asymmetric algorithm (Google, Auth0, Okta). Public key verifies without the private key. |
| RS384 | RSA | Asymmetric | Higher-security RS variant. |
| RS512 | RSA | Asymmetric | Strongest RS variant. |
| ES256 | ECDSA | Asymmetric | Elliptic curve — shorter signatures than RSA, popular on mobile and IoT. |
| PS256 | RSA-PSS | Asymmetric | RSA-PSS: more modern and secure than PKCS1v1.5-based RS256. |
| none | — | — | No signature — critically dangerous. Never accept tokens with alg: none in production. |
Security Considerations
Decoding a JWT is always safe. Trusting a JWT without proper signature verification is not. Keep these rules in mind whenever you consume tokens in your application.
- –Decode and inspect a JWT in developer tools or this tool
- –Use exp, iat, and nbf to understand token lifetime
- –Log payload claims for debugging (omit sensitive PII)
- –Read the alg header to understand how the token was signed
- –Trust claims in the payload without verifying the signature server-side
- –Accept tokens with alg: none — this means no signature at all
- –Store access tokens in localStorage on high-security applications (prefer httpOnly cookies)
- –Set exp far in the future for tokens that carry sensitive permissions
Common Use Cases
Decoding JWT in Code
The header and payload are base64url-encoded — just reverse the encoding. Base64url replaces + with - and / with _, and omits = padding. Only the signature requires the secret key.
function decodeJWT(token) {
const [, payload] = token.split('.')
const json = atob(payload.replace(/-/g, '+').replace(/_/g, '/'))
return JSON.parse(json)
}const [, payload] = token.split('.')
const decoded = JSON.parse(
Buffer.from(payload, 'base64url').toString()
)import base64, json
def decode_jwt(token):
payload = token.split('.')[1]
padding = '=' * (-len(payload) % 4)
return json.loads(base64.urlsafe_b64decode(payload + padding))TOKEN="eyJhbGc..." echo $TOKEN | cut -d. -f2 | base64 -d 2>/dev/null | jq .