token JWT Debugger

Decode, inspect, and verify JSON Web Tokens with signature validation, claim analysis, and token builder

Encoded Token

Paste your JWT to decode and inspect

construction JWT Builder

expand_more

Header

Algorithm (alg)

Type (typ)

Key ID (kid) - Optional

Payload

Subject (sub)

Issuer (iss)

Audience (aud)

Expiration (exp)

Custom Claims (JSON)

Signing Secret / Private Key

Example Tokens

Click to load and inspect

help JWT Reference

expand_more

Registered Claims

Claim	Name	Description
`iss`	Issuer	Who issued the token
`sub`	Subject	Who the token is about (user ID)
`aud`	Audience	Who the token is intended for
`exp`	Expiration	When the token expires (Unix timestamp)
`nbf`	Not Before	Token not valid before this time
`iat`	Issued At	When the token was created
`jti`	JWT ID	Unique identifier for the token

Supported Algorithms

Algorithm	Type	Description
`HS256`	Symmetric	HMAC with SHA-256
`HS384`	Symmetric	HMAC with SHA-384
`HS512`	Symmetric	HMAC with SHA-512
`RS256`	Asymmetric	RSA Signature with SHA-256
`RS384`	Asymmetric	RSA Signature with SHA-384
`RS512`	Asymmetric	RSA Signature with SHA-512
`ES256`	Asymmetric	ECDSA with P-256 and SHA-256
`ES384`	Asymmetric	ECDSA with P-384 and SHA-384
`ES512`	Asymmetric	ECDSA with P-521 and SHA-512
`PS256`	Asymmetric	RSA-PSS with SHA-256
`none`	None	No signature (unsafe!)

JWT Debugger - Decode and Verify JSON Web Tokens

Decode, inspect, and verify JSON Web Tokens (JWT) directly in your browser. Our free JWT debugger helps developers understand token contents, validate signatures, and troubleshoot authentication issues.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way of representing claims between two parties. JWTs are commonly used for authentication and information exchange in web applications and APIs. Each token consists of three parts separated by dots: Header, Payload, and Signature.

JWT Structure

header.payload.signature

┌──────────┐  ┌─────────────┐  ┌───────────┐
│  HEADER  │.│   PAYLOAD   │.│ SIGNATURE │
│ (Base64) │ │  (Base64)   │ │ (Base64)  │
└──────────┘  └─────────────┘  └───────────┘
     │              │               │
  Algorithm      Claims         Verify
  Token Type    User Data      Integrity

Features

Instant Decoding: Paste any JWT and instantly see decoded header and payload
Claim Inspection: Human-readable explanations of standard claims (exp, iat, nbf, etc.)
Token Timeline: Visual representation of token validity period
Signature Verification: Verify HMAC signatures with your secret key
JWT Builder: Create new tokens with custom claims and expiration
Example Tokens: Pre-built examples for testing and learning
Expiration Check: Instantly see if tokens are expired or not yet valid

Common JWT Use Cases

Authentication: Stateless user sessions without server-side storage
Authorization: Encode roles and permissions in the token
API Access: Service-to-service authentication
Single Sign-On: Share identity across multiple applications
Refresh Tokens: Long-lived tokens for obtaining new access tokens

Security Considerations

Never expose secrets: Keep signing keys secure and rotate them regularly
Always validate: Verify signature, expiration, and issuer on the server
Use HTTPS: JWTs are not encrypted, so use TLS in transit
Short expiration: Use short-lived tokens with refresh tokens
Avoid none algorithm: Never accept unsigned tokens in production

Privacy

All JWT decoding and verification happens directly in your browser. No tokens or secrets are sent to any server. Your data stays completely private.