A JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It consists of three parts: header (algorithm), payload (claims/data), and signature. JWTs are the standard for API authentication.

Is it safe to decode a JWT?

Decoding a JWT reveals its contents but does not compromise security — the payload is base64-encoded, not encrypted. The security lies in the signature verification. However, never expose JWTs containing sensitive data in URLs or client-side logs.

Claims are statements about the user and metadata. Standard claims include: iss (issuer), sub (subject), exp (expiration), iat (issued at), and aud (audience). Custom claims can contain any application-specific data like user roles.

How long should a JWT token last?

Access tokens should expire in 15-30 minutes for security. Refresh tokens can last 7-30 days. Short-lived access tokens limit damage if compromised, while refresh tokens provide a smooth user experience without frequent re-authentication.

É seguro decodificar um JWT aqui?

Sim! Esta ferramenta roda integralmente no seu navegador. O token não é enviado a nenhum servidor.

O que significa a expiração do token?

A claim 'exp' indica quando o token expira. Após essa data o token é rejeitado.

🎫 Decodificador JWT

Decodifique JSON Web Tokens (JWT) para inspecionar o cabeçalho, payload e assinatura.

Decodes JSON Web Tokens showing header, payload, and signature without requiring the secret key, for debugging auth flows.

Key Facts

Standardized in RFC 7519 (2015)
80%+ of modern APIs use JWT
Three parts separated by dots (.)
Common algorithms: HS256, RS256

Frequently Asked Questions

What is a JWT?

Compact, URL-safe token with header (algorithm), payload (claims), and signature for API authentication.

Is decoding JWT safe?

Yes — payload is base64-encoded, not encrypted. Security is in signature verification, not content hiding.

What are JWT claims?

Statements about user: iss (issuer), sub (subject), exp (expiration), iat (issued at), aud (audience).

How long should JWT last?

Access tokens: 15-30 min. Refresh tokens: 7-30 days. Short-lived limits damage if compromised.

🎫 Decodificador JWT

O que é um JSON Web Token (JWT)?

Estrutura do JWT

Perguntas Frequentes

Key Facts

Frequently Asked Questions

🎫 Decodificador JWT

O que é um JSON Web Token (JWT)?

Estrutura do JWT

Perguntas Frequentes

Key Facts

Frequently Asked Questions

Ferramentas de desenvolvimento relacionadas