JWT Parser

Q: How is parsing different from decoding?

Decoding converts Base64URL to JSON and shows the raw output. Parsing analyzes the decoded JSON to identify data types, nesting levels, value formats, and claim categories. A decoder shows {"exp":1704067200} while a parser shows: exp (registered claim) → NumericDate → 1704067200 → 2024-01-01T00:00:00Z. Parsing adds semantic layers: categorizing claims as registered (RFC 7519) vs. custom, detecting timestamps vs. regular numbers, identifying arrays vs. strings, and revealing nested object structures. Use decoders for quick inspection, parsers for understanding complex token structures when documenting APIs or writing token validation code. Parsing output is ideal for generating type definitions in TypeScript, Java, or Go.

Q: What claim categories does the parser identify?

The parser categorizes claims into three groups: (1) Header claims (alg, kid, typ, x5t)—metadata about the token itself, (2) Registered claims (exp, iat, nbf, iss, sub, aud, jti)—standardized claims defined by RFC 7519 with specific semantics, (3) Custom/private claims—application-specific claims like scope, roles, email, tenant_id, permissions. This categorization helps developers understand which claims have universal meaning (exp always means expiration) versus which are provider-specific (scope format varies between Auth0, Okta, Azure AD). Registered claims have defined data types and validation rules, while custom claims require documentation from the auth provider.

Q: How does the parser handle nested objects?

The parser displays nested objects in tree format with indentation showing hierarchy levels. Example: if a token has {"permissions":{"users":{"read":true,"write":false},"orders":{"read":true}}} , the parser shows: permissions (object) → users (object) → → read (boolean: true) → → write (boolean: false) → orders (object) → → read (boolean: true). This tree view reveals structure that's hard to see in flat JSON, helping developers create nested data access code. The parser also detects when arrays contain objects, showing array index and object fields: items (array[object]) → [0] (object) → → id (string), → → name (string). Nesting depth indicators help match opening/closing braces when manually creating tokens.

Q: Can the parser generate code from token structure?

While the parser doesn't auto-generate code, its output directly maps to type definitions. For TypeScript: convert parsed fields to interface properties with detected types. For example, parsed output "scope (array[string])" becomes scope: string[] . "exp (NumericDate)" becomes exp: number . "permissions (object)" becomes a nested interface. Many developers copy the parsed field list and manually create types, which is faster and more accurate than guessing from incomplete documentation. For languages with JSON schema support, convert parsed structure to JSON Schema, then use code generators. The parser's data type detection ensures you use correct types—number for timestamps, string[] for scope arrays, boolean for flags—avoiding runtime type errors.

Parse JWT tokens with field-by-field breakdown to analyze claim structure, data types, and nested objects. Detailed parsing for reverse engineering token formats, documenting auth integrations, and understanding complex claim hierarchies in enterprise SSO systems.

Why Use JWT Parser

While decoders show raw JSON, a parser breaks down each claim into structured fields with data type annotations, nesting indicators, and value format analysis. Essential for documenting complex JWT formats from third-party OAuth providers, understanding nested permission objects in enterprise tokens, and reverse engineering undocumented auth systems. This parser reveals array structures, object hierarchies, and claim relationships that are hard to see in flat JSON output—helping developers create accurate token generation code and validation logic.

Field-by-field breakdown: Each claim shown separately with data type and nesting level
Data type detection: Automatically identifies strings, numbers, booleans, arrays, objects
Nested structure visualization: Tree view for complex claims like scope arrays or permission objects
Value format analysis: Detects timestamps, UUIDs, emails, URLs in claim values
Claim categorization: Separates registered claims (exp, iat) from custom claims

Parse JWT Structure →

Choose the Right Variant

This page: Detailed parsing with field-by-field structure analysis and type detection
Decode JWT: Quick decoding for simple claim inspection
JWT Token Decoder: Decoder with validation and security checks
JWT Decode Online: General JWT decoding tool

Step-by-Step Tutorial

Copy JWT from complex auth system (Azure AD, Okta, Auth0, custom SSO)
Paste into parser input field
Header section shows: alg (string: "RS256"), kid (string: "abc123"), typ (string: "JWT")
Registered claims section shows: exp (NumericDate: 1704067200), iat (NumericDate: 1704063600), iss (string: "https://auth.example.com"), aud (array[string]: ["api1", "api2"])
Custom claims section shows: scope (array[string]: ["read:users", "write:orders"]), permissions (object with nested fields), tenant_id (UUID format)
Use parsed structure to document token format for API integration guides
Generate token creation code based on parsed field structure and types

Real-World Use Case

A developer integrates with Azure AD OAuth but the token documentation is incomplete—it only shows a few example claims, not the full structure. They decode a real Azure AD JWT and paste it into the parser. The parser reveals 25+ fields including nested structures: roles is an array of strings, groups contains UUIDs, wids (well-known IDs) is an array, app_displayname is a string, and acr (authentication context) has specific values. Armed with this parsed structure, they create accurate TypeScript interfaces for the token, implement proper permission checks using the roles array, and add group-based access control. The parser's field-by-field breakdown saves 3-4 hours of trial-and-error testing different claim names and guessing data types. They document the complete token structure in their wiki for future developers.

Best Practices

Use parser to document token formats when integrating with third-party OAuth providers
Parse tokens from different environments (dev, staging, prod) to catch structural differences
Generate code interfaces/structs from parsed output to ensure type safety
Compare parsed structures before and after auth provider updates to detect breaking changes
Use nesting indicators to understand permission hierarchies and scope relationships
Parse tokens from failed auth attempts to identify missing or malformed claims
Document custom claim semantics after parsing—data types alone don't explain claim meaning

Performance & Limits

Parsing speed: < 20ms for comprehensive field analysis
Maximum nesting depth: Handles 10 levels of nested objects/arrays
Maximum claims: Parses tokens with 100+ distinct fields
Type detection: Recognizes 15+ value formats (UUID, email, URL, ISO date, etc.)
Offline functionality: All parsing happens locally without network

Common Mistakes to Avoid

Assuming claim names are standard: Custom claims vary by provider—parse before coding
Ignoring data types: Treating number timestamps as strings causes comparison bugs
Not checking nesting: Permissions might be nested objects, not flat arrays
Hardcoding claim structure: Auth providers update token formats—re-parse periodically
Skipping array detection: aud can be string OR array—handle both types
Missing optional claims: Not all tokens have all fields—check for existence before access

Privacy and Data Handling

All JWT parsing happens locally in your browser without server communication. The parser processes tokens entirely client-side using JavaScript—no data is uploaded or stored. However, parsed output makes sensitive claim values highly visible: emails, names, roles, tenant IDs, user IDs, and permission lists. When documenting token structures from production, redact actual values and show only field names and data types. Use private browsing mode for parsing tokens with real user data. Share only the structural output (field names + types), not actual claim values, in documentation or support tickets. For compliance (GDPR, HIPAA), parse locally and never copy parsed production tokens to shared documents.

Frequently Asked Questions

How is parsing different from decoding?

Decoding converts Base64URL to JSON and shows the raw output. Parsing analyzes the decoded JSON to identify data types, nesting levels, value formats, and claim categories. A decoder shows {"exp":1704067200} while a parser shows: exp (registered claim) → NumericDate → 1704067200 → 2024-01-01T00:00:00Z. Parsing adds semantic layers: categorizing claims as registered (RFC 7519) vs. custom, detecting timestamps vs. regular numbers, identifying arrays vs. strings, and revealing nested object structures. Use decoders for quick inspection, parsers for understanding complex token structures when documenting APIs or writing token validation code. Parsing output is ideal for generating type definitions in TypeScript, Java, or Go.

What claim categories does the parser identify?

The parser categorizes claims into three groups: (1) Header claims (alg, kid, typ, x5t)—metadata about the token itself, (2) Registered claims (exp, iat, nbf, iss, sub, aud, jti)—standardized claims defined by RFC 7519 with specific semantics, (3) Custom/private claims—application-specific claims like scope, roles, email, tenant_id, permissions. This categorization helps developers understand which claims have universal meaning (exp always means expiration) versus which are provider-specific (scope format varies between Auth0, Okta, Azure AD). Registered claims have defined data types and validation rules, while custom claims require documentation from the auth provider.

How does the parser handle nested objects?

The parser displays nested objects in tree format with indentation showing hierarchy levels. Example: if a token has {"permissions":{"users":{"read":true,"write":false},"orders":{"read":true}}}, the parser shows: permissions (object) → users (object) → → read (boolean: true) → → write (boolean: false) → orders (object) → → read (boolean: true). This tree view reveals structure that's hard to see in flat JSON, helping developers create nested data access code. The parser also detects when arrays contain objects, showing array index and object fields: items (array[object]) → [0] (object) → → id (string), → → name (string). Nesting depth indicators help match opening/closing braces when manually creating tokens.

Can the parser generate code from token structure?

While the parser doesn't auto-generate code, its output directly maps to type definitions. For TypeScript: convert parsed fields to interface properties with detected types. For example, parsed output "scope (array[string])" becomes scope: string[]. "exp (NumericDate)" becomes exp: number. "permissions (object)" becomes a nested interface. Many developers copy the parsed field list and manually create types, which is faster and more accurate than guessing from incomplete documentation. For languages with JSON schema support, convert parsed structure to JSON Schema, then use code generators. The parser's data type detection ensures you use correct types—number for timestamps, string[] for scope arrays, boolean for flags—avoiding runtime type errors.