JWT 디코딩 방법: JSON Web Token 완전 가이드
JWT가 무엇인지, 디코딩 방법, 보안 실수.
What is a JWT and what is it for
A JWT (JSON Web Token, pronounced "jot") is an open standard (RFC 7519) for transmitting information compactly and verifiably between parties as a digitally signed JSON object.
Main use cases: Authentication (stateless session), authorization (roles/permissions in payload), information exchange between microservices.
Who uses JWT: Auth0, Firebase, AWS Cognito, Supabase, most modern REST APIs, OAuth 2.0/OpenID Connect.
Decode any JWT instantly with the NexTools JWT decoder.
JWT structure: the 3 parts
A JWT has 3 dot-separated parts: xxxxx.yyyyy.zzzzz
1. Header: Algorithm and token type. {"alg": "HS256", "typ": "JWT"} → Base64url encoded.
2. Payload: Claims — user data and metadata. Standard claims: iss (issuer), sub (subject), exp (expiration), iat (issued at), aud (audience).
3. Signature: Guarantees the token wasn't tampered with. HMACSHA256(base64url(header) + "." + base64url(payload), secret)
For understanding Base64, see our Base64 guide.
How to decode a JWT step by step
Option 1: NexTools. Paste JWT in the NexTools JWT decoder — see header, payload, signature instantly. All in browser.
Option 2: Terminal. echo "token" | cut -d. -f2 | base64 -d
Option 3: JavaScript. JSON.parse(atob(token.split('.')[1]))
IMPORTANT: Decoding ≠ verifying. Anyone can decode (it's Base64). VERIFYING requires the secret key. Never trust a JWT without verifying the signature.
JWT vs sessions vs cookies: when to use each
| Mechanism | State | Storage | Scalability | Best for |
|---|---|---|---|---|
| JWT | Stateless | Client | Excellent | APIs, microservices, SPAs |
| Session | Stateful | Server | Needs shared store | Monolithic, SSR apps |
| Cookie | Both | Browser | Depends | Transport for session ID or JWT |
2026 recommendation: APIs: JWT. SSR web apps (Next.js): server-side sessions or JWT in httpOnly cookies.
Common JWT security mistakes
1. localStorage storage. Vulnerable to XSS. Better: httpOnly cookie.
2. Not verifying signature. Allows attackers to modify claims.
3. Algorithm "none". Allows unsigned tokens. Always validate algorithm.
4. Weak secret. Must be 256+ bits, random. Generate with the NexTools password generator.
5. No expiration. Leaked token = permanent access. Always set exp (15 min - 1 hour).
Access tokens vs refresh tokens
Access token: Short-lived JWT (15 min - 1h). Sent with every API request.
Refresh token: Long-lived (7-30 days). Used ONLY to get new access tokens.
Flow: Login → access + refresh tokens. Access expires → refresh gets new access. Refresh expires → re-login.
For understanding token hashes, see our hash guide.
JWT in different languages and frameworks
Node.js: jwt.sign({ userId: 123 }, 'secret', { expiresIn: '1h' })
Python: jwt.encode({"userId": 123}, "secret", algorithm="HS256")
Next.js/Auth.js: JWT as default session strategy.
Spring Boot: Spring Security + jjwt library.
Debugging JWT: tools and tips
NexTools: JWT decoder shows readable header/payload. Highlights if expired.
jwt.io: Popular debugger. CAUTION: don't paste production tokens on third-party sites.
Tips: 401 = check exp. Wrong claims = check payload fields. Signature fails = check secret/public key.
Convert exp/iat timestamps with the NexTools timestamp converter.
이 도구를 사용해 보세요:
도구 열기→자주 묻는 질문
Is a JWT encrypted or just encoded
Standard JWT (JWS) is ENCODED in Base64url, not encrypted. Anyone can read the payload. For encrypted JWTs, JWE exists but is less common. NEVER put sensitive data (passwords, credit cards) in a JWS.
Where should I store the JWT on the client
Safest: httpOnly cookie with Secure and SameSite=Strict flags. Prevents XSS and CSRF. localStorage is vulnerable to XSS.
How do I invalidate a JWT before it expires
JWT's main challenge: you can't directly (stateless). Options: (1) blacklist in Redis, (2) short-lived tokens + refresh, (3) rotate signing secret (invalidates ALL tokens).
HS256 vs RS256: which signing algorithm
HS256 (symmetric): one key for sign+verify. Simpler. When same service does both. RS256 (asymmetric): private key signs, public verifies. When different services verify (microservices, OAuth).
Are JWTs secure for authentication
Yes, if implemented correctly: httpOnly cookies, short expiration, refresh rotation, signature verification, strong secret. Poorly implemented, they're insecure.
Can I put anything in the JWT payload
Technically yes, but don't put sensitive data (payload is readable without key). Ideal: user ID, roles, expiration, authorization metadata. Not passwords or unnecessary PII.