Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
JWT Decoder | Ping Identity Developer Portal
  • Use * for wildcard searches (wildcar*)
  • Use ? to match a single character (gr?y matches grey and gray)
  • Use double quotes to find a phrase (“specific phrase”)
  • Use + for an exact match (+perform returns only perform)
  • Use - to exclude a word ( -excluded)
  • Use Boolean operators: AND, OR, NOT, and NEAR
Search tips

JWT Decoder

You can use this tool to decode JWTs and analyze their contents. You can also verify the signature if you have the public key.

Directions

 

Use the tool by following these steps:

 

JWT Decoding

 

  1. *First, remember that JWTs are tokens that are often used as the credentials for SSO applications. The token is entirely decoded client side (in your browser), but make sure to take proper precautions to protect your token!
  2. Grab a JWT (RFC 7519) you want to decode. 
    It should have the format of {header}.{payload}.{signature}
    (The signature may be blank if the JWT hasn't been signed.)
  3. Paste the JWT into the first text box
  4. Press the Decode button
  5. Read the decoded outputs for the header and payload!

 

Signature Verification (optional)

signature verification supports the RS256 and HS256 algorithms.

 

If using RS256 (RSA with SHA-256), enter the public key in either JWK or PEM format: 
 

  1. JWK: 
    • enter the "n" and "e" values of the public JSON Web Key (JWK)
  2. PEM:
    • enter the public key as a PEM encoded string

 

If using HS256 (HMAC with SHA-256), enter the passphrase or secret in either Hex or UTF-8 format.

 

*This tool works completely client-side, so there's nothing sent to or saved on our servers. To be extra careful, make sure you're connected to this page using https and remove any roles on the test worker app that you're getting the access token from or any scopes you don't need at this point, so that any credentials used here can’t be abused if stolen.

 

If you don't already have something that generates tokens, try out the tool by signing up for a free trial of our PingOne Cloud Platform. Then, create a worker app connection and click the “Get Access Token” button on the configuration tab under the "General" section for that app connection. Copy the access token and input it here!

What is a JWT (JSON Web Token)?

A JWT (JSON Web Token; pronounced like the word “jot”) is a particular type of token used for sharing claims. Claims are encoded JSON objects that include some information about a subject and are often used in Identity Security applications to transfer information about a user.

 

For example, after I sign in to a website, information about my account is encoded and passed around to the relevant parties in a JWT. This can enable SSO (Single Sign On); where I needn’t sign in again to another domain owned by the same company, or different companies if trust has been established. Instead, my information can be passed between domains in the JWT, so the second domain knows who I am and that I’ve already been authenticated by a trusted party.

 

The main benefits of using a JWT are:

 

  • Compact representation of information about a subject or user
  • They can be encrypted or digitally signed so the information can be passed around securely

 

Components of a JWT

 

Technically, a JWT is represented as a part of a JWS (JSON Web Signature) object or a JWE (JSON Web Encryption) object. However, the entire string is often referred to as a JWT if the payload is an encoded JWT object. JWTs are always represented using the JWS Compact Serialization or the JWE Compact Serialization.

 

There are three main parts of a JWS or JWE that include a JWT claim:

 

  1. Header - the type of encoded object in the payload and any extra encoding
  2. Payload - the JWT claims set
  3. Signature - an encoding of the header and payload

 

The main parts are encoded then concatenated with a “.” separating them, so that it looks like

 

{header}.{payload}.{signature}

 

And this is your JWS or JWE object!

 

Now, I’ll briefly describe each of these components.

 

Header

 

The header includes information about how the JWT claims set, the payload, is encoded. For example, take a look at the following header:

 

{

    “typ”:”JWT”,

    ”alg”:”HS256”

}

This tells us that we have a JWT that is integrity protected with the HMAC SHA-256 algorithm. The payload with a JWE including this header will be of a JWT signed and encrypted with the HMAC SHA-256 algorithm. The type may be left out if the JWSs and JWEs used by the application are JWT types. It’s intended to avoid confusion when different types are being used.

 

Payload

 

The payload contains the JWT object itself, and the JWT itself is just a set of claims. For example, take a look at the following payload:

 
{

    “aud”: “https://api.pingone.com”,

    “iss”: “https://auth.pingone.com/abcdefg12345/as”

    “exp: “1300819380”

}

This payload has an audience (“aud”) of the PingOne for Customers API, an issuer (“iss”) of the PingOne for Customers Authorization Server, and has a set expiration date (“exp”). These are some common claim names, but they will vary depending on the application and service being used.

 

Signature

 

The signature is the header and payload (JWT claims set) encoded using the algorithm specified in the header. In our example above it would be the encoded header concatenated with a period and the encoded JWT claims set hashed with the HMAC SHA-256 algorithm.

Developer Tools

Check out our developer tools to help you work with SAML, JWTs, PKCE, OAuth, OIDC, and more!

 Try it out

Developer Community

Visit our community portal to find answers to your Ping Identity questions from other developer members in our community.

 Join the discussion