JWT Decoder

What is a JWT (JSON Web Token) and How Does it Work?

JSON Web Token (JWT) is an open standard (RFC 7519) used for sharing security information between a client and a server in a compact and self-contained way. It's widely used in modern authentication systems (OAuth2 and OpenID Connect).

The Anatomy of a Token

A JWT is composed of three parts separated by dots (.):

• Header: Indicates the token type and the hashing algorithm used (e.g., HS256 or RS256).
• Payload: Contains the "claims," which are user data or permission metadata.
• Signature: Allows the receiver to verify if the token has been altered. Important: Without the server's secret key, you can see the data but cannot validate or change it.

Security: Encoding vs. Encryption

A common mistake is thinking that JWT protects data privacy. The Header and Payload are only **encoded** in Base64URL, not encrypted. Anyone with access to the token can read its contents. Therefore, **never store passwords, SSNs, or sensitive data (PII)** inside a JWT.

Privacy: 100% Client-Side Decoding

Many "JWT Debugger" tools send your token to external servers. At Octovelo, decoding is done **entirely in your browser**. Your token never leaves your machine, ensuring your authentication credentials remain private and secure during development.