Frequently Asked Questions

Common questions about JWT Decoder

What is a JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. It's commonly used for authentication and information exchange in web applications.

Is it safe to decode my JWT tokens here?

Yes! All decoding happens entirely in your browser using JavaScript. No data is sent to our servers or any third-party services. Your tokens remain completely private and secure on your device.

How does signature verification work?

When you provide a secret key, our tool uses the Web Crypto API to verify the JWT signature. It recreates the signature using the header and payload, then compares it with the signature in your token. If they match, the signature is valid.

What algorithms are supported for signature verification?

We currently support:

  • HMAC algorithms: HS256 (SHA-256), HS384 (SHA-384), and HS512 (SHA-512)
  • ECDSA algorithms: ES256 (SHA-256 with P-256 curve), ES384 (SHA-384 with P-384 curve), and ES512 (SHA-512 with P-521 curve)

Support for RSA (RS256, RS384, RS512) algorithms is coming in future updates.

How do I verify ECDSA (ES256, ES384, ES512) signatures?

To verify ECDSA signatures, you need the public key. Enter the public key in one of these formats:

  • PEM format: Standard PEM-encoded public key starting with "-----BEGIN PUBLIC KEY-----"
  • JWK format: JSON Web Key as a JSON object with kty, crv, x, and y parameters

Example JWK format: {"kty":"EC","crv":"P-256","x":"...","y":"..."}

Why can't I verify RS256 or other RSA signatures?

RSA signature verification requires the public key in a specific format. We're working on adding support for RSA algorithms. For now, you can use other tools or libraries for RSA verification.

What does "Invalid Signature" mean?

An invalid signature means one of the following:

  • The secret key you entered is incorrect
  • The token has been tampered with or modified
  • The header or payload has changed since the token was signed
  • The token was signed with a different secret key

Do I need to provide a secret key?

No, the secret key is optional. You can decode and view the header and payload of any JWT without a secret key. The secret key is only needed if you want to verify the signature.

What's the difference between decoding and verifying?

Decoding means extracting and displaying the header and payload from a JWT. This doesn't require a secret key and doesn't verify authenticity.

Verifying means checking if the signature is valid using the secret key. This confirms the token hasn't been tampered with and was signed by someone with the correct secret key.

Can I use this tool for production tokens?

While our tool is secure (everything runs locally), we recommend caution with production tokens and secret keys. Use this tool primarily for development and debugging. Never share your production secret keys.

Why does my JWT have three parts?

A JWT consists of three Base64URL-encoded parts separated by dots (.):

  • Header: Contains metadata (algorithm, token type)
  • Payload: Contains the claims (data)
  • Signature: Ensures the token hasn't been altered

Format: header.payload.signature

What information is in the payload?

The payload contains claims - statements about an entity (typically, the user) and additional data. Common claims include:

  • sub: Subject (user ID)
  • iat: Issued at (timestamp)
  • exp: Expiration time (timestamp)
  • iss: Issuer
  • aud: Audience
  • Custom claims specific to your application

Can JWT tokens be encrypted?

Standard JWTs are signed but not encrypted - they can be decoded by anyone. For encrypted tokens, use JWE (JSON Web Encryption). Our tool currently supports standard JWTs only.

Why do I see an error message?

Common error reasons:

  • Invalid JWT format: The token must have exactly three parts separated by dots
  • Invalid Base64 encoding: One or more parts couldn't be decoded
  • Invalid JSON: The header or payload isn't valid JSON

Is this tool open source?

Yes! This is an open-source project. You can review the code, contribute improvements, or report issues through our repository.

Does this tool work offline?

Once the page is loaded, the tool works completely offline since all processing happens in your browser. You can even save the HTML file and use it locally without an internet connection.

Can I integrate this into my application?

Yes! Since this is open source, you can integrate the code into your own applications. The JWT decoding logic is pure JavaScript and can be easily adapted.