The Complete Guide to JSON Web Tokens (JWT)
JSON Web Tokens (JWT) are an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Why You Need a Client-Side JWT Decoder
JWTs often contain sensitive User Identifiers (PII), Roles, and Authorization claims. Pasting your production JWT into a random online tool that sends it to a backend server is a massive security risk. If that server logs your token, a malicious actor could intercept it and impersonate your users.
SmartCalcTools eliminates this risk completely. We use the modern Web Crypto API to decode your JWT entirely within your local browser. Your token is never transmitted over the internet, guaranteeing zero data leakage.
Structure of a JWT
A standard JWT consists of three parts separated by dots (`.`):
- Header: Typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
- Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
- Signature: Used to verify the message wasn't changed along the way. In the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
Frequently Asked Questions (FAQ)
Are JWTs encrypted?
No, standard JWTs (JWS) are only Base64 encoded and digitally signed, not encrypted. Anyone who intercepts the token can read the header and payload. This is why you should never put passwords or highly sensitive secrets inside a JWT payload.
How do I know if a JWT is expired?
Look at the `exp` (Expiration Time) claim in the decoded payload. It is represented as a NumericDate (Unix epoch time). If the current time is greater than the `exp` value, the token is rejected by the server.
What does "Invalid Signature" mean?
It means someone tampered with the header or payload, or it was signed with a different secret key than the one the server is using to verify it. The server will reject the token, protecting your application from unauthorized access.