Skip to content
Slow connection detected
Back online!

JWT Decoder & Validator

Decode and validate JSON Web Tokens with signature verification

JWT Token

Invalid JWT format. JWT must contain three parts separated by dots. Failed to decode JWT. Please check the token format. Invalid JSON in token. Please verify the token is correctly formatted.
JWT (JSON Web Token) generator creates secure tokens used for authentication and authorization in web applications and APIs. JWTs are compact, URL-safe tokens that contain encoded information about a user or session. They're widely used in modern web development for stateless authentication. Our free JWT generator works entirely in your browser, ensuring your tokens are created securely without sending data to servers.
  1. 1
    Enter Header

    The header typically contains token type (JWT) and signing algorithm. Default values are usually sufficient.

  2. 2
    Enter Payload

    Add claims (data) to the payload: user ID, username, roles, expiration time, or other custom claims as needed.

  3. 3
    Set Secret Key

    Enter your secret key for signing the token. Keep this secret secure - it's used to verify token authenticity.

  4. 4
    Choose Algorithm

    Select signing algorithm: HS256 (HMAC), RS256 (RSA), or others. HS256 is common for symmetric keys, RS256 for asymmetric.

  5. 5
    Generate Token

    Click generate to create the JWT. The token will be displayed in encoded format.

  6. 6
    Decode Token

    Use the decoder to verify token contents, check expiration, or debug token issues.

  7. 7
    Verify Signature

    Verify the token signature using your secret key to ensure the token hasn't been tampered with.

  8. 8
    Use Token

    Include the JWT in API requests (usually in Authorization header) for authentication and authorization.

What is a JWT used for?

JWTs are used for authentication (proving identity) and authorization (determining permissions) in web applications and APIs.

Is JWT secure?

JWTs are secure when properly implemented with strong secret keys, HTTPS, and appropriate expiration times. Never expose secret keys.

What information should I put in a JWT?

Include user ID, username, roles, and expiration time. Avoid sensitive data like passwords. Keep payloads small for performance.

How long should JWTs be valid?

Short-lived tokens (15 minutes to 1 hour) are more secure. Use refresh tokens for longer sessions. Adjust based on your security requirements.

Can I decode a JWT without the secret?

Yes, JWTs can be decoded to view contents, but you need the secret key to verify the signature and ensure authenticity.

What's the difference between HS256 and RS256?

HS256 uses a shared secret key (symmetric). RS256 uses a private/public key pair (asymmetric). RS256 is better for distributed systems.

Can JWTs be revoked?

JWTs are stateless, so they can't be directly revoked. Use short expiration times, maintain a blacklist, or use refresh tokens for revocation.

Where should I store JWTs?

Store JWTs securely: in httpOnly cookies (most secure), localStorage (less secure), or memory. Avoid XSS vulnerabilities.

What if my JWT is stolen?

Use short expiration times, implement token refresh, monitor for suspicious activity, and consider additional security measures like IP validation.

Can I use JWTs for API authentication?

Yes, JWTs are commonly used for API authentication. Include the token in the Authorization header: "Bearer <token>".

Other Tools

Explore other powerful tools from JaneX

Install JaneX
Quick access to all tools, works offline
New version available