Size Analyzer

Size Analyzer

JWT size analyzer online. Check JWT token length in characters and bytes. See header vs payload size breakdown and get warnings for oversized tokens.

Why JWT Size Matters

  • • JWTs are sent with every HTTP request in the Authorization header
  • • Large tokens increase bandwidth and can exceed server header limits
  • • Some proxies and load balancers have strict header size limits
  • • Cookies have a ~4KB limit if you're storing JWTs there

Features

  • Measures the total token length in characters and bytes
  • Breaks down how much space the header, payload, and signature use
  • Warns when a token is large enough to bump into common limits
  • Helps you see which claims are inflating the payload
  • Runs locally so tokens stay on your machine

Common Use Cases

  • Trimming a token that no longer fits inside a cookie
  • Investigating why requests fail with header-too-large errors
  • Deciding which claims to move out of the token and fetch on demand
  • Keeping mobile requests lean where every byte of overhead counts

Why token size is worth watching

A JWT is sent on every request that needs authentication, usually in the Authorization header. That means the token's size is pure overhead added to each call, so a bloated payload quietly slows things down and eats bandwidth.

Size also runs into hard limits. Many web servers cap total header size (commonly around 8 KB), reverse proxies and load balancers may be stricter, and if you store the token in a cookie you are bound by the ~4 KB per-cookie limit. Tokens usually grow because of large or numerous custom claims.

If a token gets too big, the usual fix is to keep only an identifier in the token and look up the rest of the data server-side.

Examples

Valid - A compact token with few claims
{ "sub": "123", "exp": 1916239022 }
Invalid - Bloated payload (large claims add up fast)
{ "sub": "123", "permissions": ["a","b","c","d","e","f","g"], "profile": { "bio": "..." } }

Frequently Asked Questions

How big can a JWT be?
There is no fixed limit in the spec, but practical limits apply: web servers often cap headers near 8 KB and cookies are limited to about 4 KB. Staying comfortably under a couple of kilobytes is a good target.
What makes a token large?
Usually the payload — long custom claims, arrays of permissions, or embedded profile data. The header and signature are small and fairly constant by comparison.
How do I shrink a token?
Keep only what the client truly needs (like a user id and expiry), use short claim names, and fetch heavier data from your API instead of packing it into the token.