JWT Decoder/ Client-side
Instantly decode JWT header and payload, view expiry and standard claims. Token never leaves your browser.
JWT Token
위에 JWT 토큰을 붙여넣어 디코딩하세요.
토큰은 브라우저를 떠나지 않습니다.
이 도구가 도움이 되었나요?
JWT란 무엇인가
JWT(JSON Web Token)는 헤더(알고리즘 정보), 페이로드(클레임/데이터), 서명의 세 부분으로 구성된 간결하고 URL 안전한 토큰 형식입니다. 주로 인증에 사용되며 서버가 JWT를 발급하면 클라이언트가每次 요청에 포함시키고 서버가 서명을 검증하는 것만으로 데이터��이터베이스 조회 없이 신원을 확인할 수 있습니다.
JWT 보안 고려사항
JWT 페이로드에 비밀번호나 신용카드 번호等 민감한 데이터를绝对 저장하지 마세요 — 페이로드는 단순 Base64 인코딩으로 누구나 읽을 수 있습니다. 서명은 데이터完整性만 보장하고 기밀성은 보장하지 않습니다. 항상 HTTPS를 사용하고 적절한 만료 시간(15분~1시간 권장)을 설정하며 리프레시 토큰 로테이션을 구현하세요.
Code Examples
JavaScript (jsonwebtoken)
import jwt from 'jsonwebtoken';
// Sign
const token = jwt.sign(
{ sub: 'user_123', role: 'admin' },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
// Verify
const payload = jwt.verify(
token, process.env.JWT_SECRET
);Python (PyJWT)
import jwt
# Sign
token = jwt.encode(
{"sub": "user_123", "exp": exp_ts},
secret,
algorithm="HS256"
)
# Verify
payload = jwt.decode(
token, secret,
algorithms=["HS256"]
)Go (golang-jwt)
import "github.com/golang-jwt/jwt/v5"
// Sign
token := jwt.NewWithClaims(
jwt.SigningMethodHS256,
jwt.MapClaims{"sub": "user_123"},
)
signed, _ := token.SignedString(secret)
// Verify
parsed, _ := jwt.Parse(signed,
func(t *jwt.Token) (any, error) {
return secret, nil
})Decode only (any language)
// JWT = base64url(header)
// + "."
// + base64url(payload)
// + "."
// + signature
function decodeJwt(token) {
const [h, p] = token.split('.');
const decode = s => JSON.parse(
atob(s.replace(/-/g,'+')
.replace(/_/g,'/'))
);
return { header: decode(h),
payload: decode(p) };
}Frequently Asked Questions
What is a JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information as a JSON object. It consists of three Base64URL-encoded parts separated by dots: Header (algorithm & token type), Payload (claims), and Signature.
Can a JWT be forged?
The payload is only Base64URL-encoded — anyone can decode and read it. However, the signature cannot be forged without the secret key. JWT security relies entirely on signature verification; sensitive data should not be stored in the payload unless you use JWE (encrypted JWT).
What are exp, iat, and nbf?
These are standard JWT claims: exp (Expiration Time) is when the token expires; iat (Issued At) is when it was issued; nbf (Not Before) means the token is invalid before that time. All timestamps are Unix time (seconds since epoch).
Why can't signature verification be done in the browser?
Verification requires the secret key (for HMAC algorithms) or public key (for RSA/ECDSA). In a pure frontend context, these keys are typically unavailable. Signature verification should always be performed server-side in production.
What's the difference between HS256 and RS256?
HS256 (HMAC-SHA256) uses a single shared secret for both signing and verification — suitable for single-service setups. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify — better for microservices where the public key can be distributed safely.
Is my token safe to paste here?
Yes. This tool runs entirely in your browser with no network requests — your token never leaves your device. That said, for production tokens containing sensitive claims, exercise caution and rotate them if you suspect exposure.