Professional JWT Debugger

JWT Token Debugger & Decoder

Debug JSON Web Tokens (JWT) instantly with our free online JWT debugger. Decode JWT headers, payloads, and signatures to inspect claims, verify expiration times, and validate token integrity. Supports all major algorithms (HS256, RS256, ES256) with signature verification for HS256 tokens. Perfect for developers troubleshooting authentication, API security auditing, and learning JWT structure. Features include human-readable claim interpretation, relative time display, standard claim recognition (iss, sub, exp, nbf, iat, aud, jti), custom claim analysis, algorithm information, one-click copying, and example tokens. 100% browser-based with no server communication for complete privacy.

JWT Token

JWT Structure

HEADER•Algorithm & Type

Contains metadata about the token, including the signing algorithm

PAYLOAD•Claims

Contains the claims (data) about an entity and additional metadata

SIGNATURE•Verification

Ensures the token hasn't been modified. Created by encoding header and payload, then signing with a secret or private key

Powerful JWT Debugging Features

Decode JWT tokens instantly to view header, payload, and signature

Inspect standard claims (iss, sub, exp, nbf, iat, aud, jti) with human-readable dates

Analyze custom claims in JSON format with syntax highlighting

Verify HS256 signatures with your secret key

Check token expiration with relative time display (e.g., 'in 2 hours')

Identify JWT signing algorithms (HS256, RS256, ES256, etc.)

View signature information and validation status

Load example JWT tokens for learning purposes

Download JWT tokens for offline analysis

One-click copy for any token component

Support for all major JWT algorithms

100% browser-based - no data sent to servers

What is a JWT Debugger?

A JWT (JSON Web Token) debugger is an essential tool for developers working with authentication and authorization in web applications. Our free online JWT debugger allows you to decode, inspect, and validate JWT tokens without any server communication. Whether you're debugging authentication issues, verifying token claims, or learning about JWT structure, our tool makes JWT analysis instant and straightforward.

Understanding JWT Token Structure

JWT tokens consist of three Base64URL-encoded parts separated by dots:

Header: Contains metadata about the token, including the signing algorithm
Payload: Contains the claims (data) about an entity and additional metadata
Signature: Ensures the token hasn't been modified

Header

The header typically consists of two parts: the type of the token (typ), which is JWT, and the signing algorithm being used (alg), such as HMAC SHA256 or RSA. Example:

{ "alg": "HS256", "typ": "JWT" }

Payload

The payload contains the claims, which are statements about an entity (typically the user) and additional data. There are three types of claims: registered, public, and private claims. Example with standard claims:

{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022, "exp": 1716239022 }

Signature

The signature is used to verify that the token hasn't been tampered with. It's created by taking the encoded header, the encoded payload, a secret, and the algorithm specified in the header, then signing that. For HMAC SHA256, the signature is created as follows:

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )

Common JWT Claims

Registered Claims

These are predefined claims that are not mandatory but recommended to provide a set of useful, interoperable claims:

iss (Issuer): Identifies the principal that issued the JWT
sub (Subject): Identifies the principal that is the subject of the JWT
aud (Audience): Identifies the recipients that the JWT is intended for
exp (Expiration Time): Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing
nbf (Not Before): Identifies the time before which the JWT MUST NOT be accepted for processing
iat (Issued At): Identifies the time at which the JWT was issued
jti (JWT ID): Provides a unique identifier for the JWT

Public Claims

These can be defined at will by those using JWTs. But to avoid collisions, they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.

Private Claims

These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

JWT Algorithms

HMAC Algorithms

HS256: HMAC using SHA-256 (most common)
HS384: HMAC using SHA-384
HS512: HMAC using SHA-512

RSA Algorithms

RS256: RSASSA-PKCS1-v1_5 using SHA-256
RS384: RSASSA-PKCS1-v1_5 using SHA-384
RS512: RSASSA-PKCS1-v1_5 using SHA-512

ECDSA Algorithms

ES256: ECDSA using P-256 and SHA-256
ES384: ECDSA using P-384 and SHA-384
ES512: ECDSA using P-521 and SHA-512

RSA-PSS Algorithms

PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512

Use Cases for JWT Debugging

1. Authentication Debugging

When implementing JWT-based authentication, developers often need to inspect tokens to understand their structure, verify claims, and troubleshoot issues. Our debugger helps you:

Verify token expiration times
Check issuer and audience claims
Inspect custom claims for user roles and permissions
Debug signature validation issues

2. API Development

When building or consuming APIs that use JWT for authorization, you can use our tool to:

Validate tokens received from clients
Inspect scopes and permissions
Verify token integrity
Understand third-party token structures

3. Security Auditing

Security professionals can use the JWT debugger to:

Audit token claims for sensitive data exposure
Verify token lifetimes and refresh policies
Check for proper signature implementation
Identify potential security vulnerabilities

4. Learning and Education

For developers new to JWT, our tool provides:

Visual representation of JWT structure
Explanation of claims and their meanings
Examples of different algorithms
Understanding of signature validation

Security Best Practices

1. Token Expiration

Always set appropriate expiration times for JWT tokens. Short-lived tokens reduce the risk of token compromise. Use refresh tokens for long-lived sessions.

2. Secure Storage

Store JWT tokens securely on the client side. Use HttpOnly cookies when possible to prevent XSS attacks. Avoid storing tokens in localStorage if the application is vulnerable to XSS.

3. Signature Validation

Always validate JWT signatures server-side. Never trust tokens without verifying their authenticity. Our tool helps you understand signature validation, but always implement proper validation in your applications.

4. Sensitive Data

Avoid storing sensitive information in JWT payloads. JWTs are just base64-encoded and can be easily decoded. Use claims for identity and authorization information only.

5. Algorithm Security

Use secure algorithms like HS256, RS256, or ES256. Avoid None algorithm which bypasses signature validation. Always specify the expected algorithm when validating tokens.

Working with Different Programming Languages

Node.js

Using the jsonwebtoken library:

const jwt = require('jsonwebtoken'); // Sign a token const token = jwt.sign( { userId: 123, username: 'john' }, 'your-secret-key', { expiresIn: '1h' } ); // Verify a token try { const decoded = jwt.verify(token, 'your-secret-key'); console.log(decoded); } catch (err) { console.log('Token invalid'); }

Python

Using PyJWT:

import jwt import datetime # Create a token payload = { 'user_id': 123, 'username': 'john', 'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1) } token = jwt.encode(payload, 'your-secret-key', algorithm='HS256') # Decode a token try: decoded = jwt.decode(token, 'your-secret-key', algorithms=['HS256']) print(decoded) except jwt.ExpiredSignatureError: print('Token expired') except jwt.InvalidTokenError: print('Invalid token')

Java

Using java-jwt library:

import com.auth0.jwt.JWT; import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.exceptions.JWTVerificationException; // Create a token Algorithm algorithm = Algorithm.HMAC256("your-secret-key"); String token = JWT.create() .withSubject("123") .withClaim("username", "john") .withExpiresAt(new Date(System.currentTimeMillis() + 3600000)) .sign(algorithm); // Verify a token try { JWTVerifier verifier = JWT.require(algorithm).build(); DecodedJWT decoded = verifier.verify(token); System.out.println(decoded.getSubject()); } catch (JWTVerificationException e) { System.out.println("Invalid token"); }

PHP

Using firebase/php-jwt:

use Firebase\JWT\JWT; use Firebase\JWT\Key; // Create a token $payload = [ 'user_id' => 123, 'username' => 'john', 'exp' => time() + 3600 ]; $token = JWT::encode($payload, 'your-secret-key', 'HS256'); // Decode a token try { $decoded = JWT::decode($token, new Key('your-secret-key', 'HS256')); print_r($decoded); } catch (Exception $e) { echo 'Invalid token: ' . $e->getMessage(); }

Why Choose Our JWT Debugger?

Client-Side Processing: All decoding happens in your browser - no data sent to servers
Comprehensive Analysis: Decode header, payload, and signature with detailed explanations
Signature Validation: Verify HS256 signatures with your secret key
Human-Readable Claims: See expiration, issued at, and other timestamps in readable format
Relative Time Display: Understand when tokens expire with "in 2 hours" or "3 days ago"
Standard Claim Recognition: Automatically identifies and explains iss, sub, exp, nbf, iat, aud, jti
Custom Claim Support: View all custom claims in JSON format
Algorithm Information: Detailed information about JWT signing algorithms
One-Click Copy: Copy any part of the token with visual feedback
Example Tokens: Load example JWTs to understand the format
Download Support: Save JWT tokens to files for later analysis
Mobile Friendly: Works perfectly on desktop and mobile devices
Completely Free: No registration, no limits, no ads

Frequently Asked Questions

What is a JWT token?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications. A JWT consists of three parts separated by dots: Header, Payload, and Signature. The header contains metadata about the token, the payload contains claims (data), and the signature verifies the token's authenticity.

How do I decode a JWT token?

Our JWT debugger tool makes it easy to decode JWT tokens. Simply paste your JWT token into the input field and click 'Decode JWT'. The tool will automatically parse the three parts of the token (header, payload, signature) and display them in readable format. You'll see the algorithm used, token claims like expiration time, issuer, subject, and any custom data included in the payload.

What does the JWT signature do?

The JWT signature is used to verify that the token hasn't been tampered with. It's created by encoding the header and payload, then signing them with a secret (for HMAC algorithms like HS256) or a private key (for RSA/ECDSA algorithms). When validating a JWT, the recipient can verify the signature using the corresponding secret or public key to ensure the token's integrity and authenticity.

How do I validate a JWT signature?

To validate a JWT signature with our tool, you need to provide the secret key (for HS256/HS384/HS512 algorithms) or the public key (for RS/ES algorithms). Enter your secret in the 'Secret Key' field and our tool will verify the signature. For HS256 tokens, the tool checks if the signature matches what would be generated using your provided secret. Note that for RSA/ECDSA algorithms, full validation requires the public key which our browser-based tool cannot fully process for security reasons.

What are common JWT claims?

JWT defines several standard claims: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). The exp claim is particularly important as it determines when the token expires. Our tool automatically interprets these claims and shows them with human-readable dates and relative times. You can also include custom claims specific to your application in the payload.

Why is my JWT showing as expired?

A JWT shows as expired when the current time is past the expiration time (exp claim) in the token. JWTs include an exp claim that specifies when the token should no longer be accepted. Our tool checks this timestamp and compares it to the current time. If the token is expired, you'll see an 'Expired' badge. Expired tokens should be rejected by applications for security reasons, and users should obtain a new token.

What's the difference between HS256 and RS256?

HS256 (HMAC with SHA-256) uses a shared secret key for both signing and verification. Both parties must have the same secret. RS256 (RSA with SHA-256) uses asymmetric cryptography with a private key for signing and a public key for verification. HS256 is simpler but requires secure secret distribution. RS256 is more secure for distributed systems since the private key never needs to be shared, but it's more complex to implement.

Is it safe to decode JWT tokens in this tool?

Yes, it's completely safe to decode JWT tokens in our tool. All processing happens in your browser - no data is sent to our servers. The JWT payload is just base64-encoded JSON (not encrypted), so decoding it doesn't reveal any secrets. However, you should only decode tokens you trust. Our tool also helps you verify signatures to ensure tokens haven't been tampered with. For maximum security, always validate tokens server-side in production applications.

💡 Pro Tips

Expiration Check: Always check the exp claim to ensure tokens are still valid
Issuer Verification: Verify the iss claim matches your expected token issuer
Audience Matching: Check the aud claim to ensure the token is intended for your application
Signature Validation: For HS256 tokens, always validate the signature with the correct secret
Sensitive Data: Never store passwords or sensitive PII in JWT payloads
Token Size: Keep JWTs small - large tokens impact network performance

Your adventure is about to begin