Q: Can I verify JWT signature?

Signature verification requires: 1) the secret key (for HMAC algorithms like HS256) or 2) the public key (for RSA algorithms like RS256). Verification confirms token wasn't tampered. This decoder only decodes - it doesn't verify. Use jwt.verify() in your application code with proper key.

Question 1

What is a JWT token?

Accepted Answer

JWT (JSON Web Token) is a compact, URL-safe token format for transmitting claims between parties. Structure: header.payload.signature, each base64url encoded. Header specifies algorithm, payload contains claims (user ID, expiration, etc.), signature ensures integrity. Used for authentication, API authorization, and single sign-on.

Question 2

How do I decode a JWT?

Accepted Answer

JWT decoding: split token by dots into 3 parts, base64url decode each part. Header and payload are JSON objects, signature is a hash. This decoder shows all three parts. Note: decoding reveals payload without verification - always verify signature with proper key before trusting claims.

Question 3

What claims are in a JWT payload?

Accepted Answer

Standard claims: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration timestamp), iat (issued at timestamp), nbf (not valid before). Custom claims: roles, permissions, email, name, organization. Claims determine what the token represents and when it's valid.

Question 4

How do I check if JWT is expired?

Accepted Answer

Check exp claim: Unix timestamp of expiration. Compare to current time: if exp timestamp < now, token is expired. This decoder highlights expiration status. For 1-hour token: exp = iat + 3600. API servers reject expired tokens with 401 Unauthorized.

Question 5

Can I verify JWT signature?

Accepted Answer

Signature verification requires: 1) the secret key (for HMAC algorithms like HS256) or 2) the public key (for RSA algorithms like RS256). Verification confirms token wasn't tampered. This decoder only decodes - it doesn't verify. Use jwt.verify() in your application code with proper key.

JWT Decoder

JWT Structure Reference

Developer Use Cases

⚠ Security Notes