A JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It consists of three parts: header (algorithm), payload (claims/data), and signature. JWTs are the standard for API authentication.

Is it safe to decode a JWT?

Decoding a JWT reveals its contents but does not compromise security — the payload is base64-encoded, not encrypted. The security lies in the signature verification. However, never expose JWTs containing sensitive data in URLs or client-side logs.

Claims are statements about the user and metadata. Standard claims include: iss (issuer), sub (subject), exp (expiration), iat (issued at), and aud (audience). Custom claims can contain any application-specific data like user roles.

How long should a JWT token last?

Access tokens should expire in 15-30 minutes for security. Refresh tokens can last 7-30 days. Short-lived access tokens limit damage if compromised, while refresh tokens provide a smooth user experience without frequent re-authentication.

¿Es seguro decodificar un JWT aquí?

¡Sí! Esta herramienta se ejecuta completamente en tu navegador web. Tu token no se envía nunca a un servidor.

¿Qué significa la expiración del token?

La reclamación 'exp' indica cuándo expira el token. A partir de esa fecha, el servidor lo rechazará.

🎫 Decodificador JWT

Decodifica JSON Web Tokens (JWT) para inspeccionar la cabecera, la carga útil y la firma - completamente en el navegador.

Decodes JSON Web Tokens showing header, payload, and signature without requiring the secret key, for debugging auth flows.

Key Facts

Standardized in RFC 7519 (2015)
80%+ of modern APIs use JWT
Three parts separated by dots (.)
Common algorithms: HS256, RS256

Frequently Asked Questions

What is a JWT?

Compact, URL-safe token with header (algorithm), payload (claims), and signature for API authentication.

Is decoding JWT safe?

Yes — payload is base64-encoded, not encrypted. Security is in signature verification, not content hiding.

What are JWT claims?

Statements about user: iss (issuer), sub (subject), exp (expiration), iat (issued at), aud (audience).

How long should JWT last?

Access tokens: 15-30 min. Refresh tokens: 7-30 days. Short-lived limits damage if compromised.

🎫 Decodificador JWT

¿Qué es un JSON Web Token (JWT)?

Estructura del JWT

Preguntas Frecuentes

Key Facts

Frequently Asked Questions

🎫 Decodificador JWT

¿Qué es un JSON Web Token (JWT)?

Estructura del JWT

Preguntas Frecuentes

Key Facts

Frequently Asked Questions

Herramientas de desarrollo relacionadas