JWT Debugger & Decoder

Decode and inspect JWT tokens with header, payload, and signature viewer

100% client-side · your data never leaves your browser

JWT Token:

⚠️ Security Notice: This tool decodes JWT tokens but does NOT verify signatures. Never share sensitive tokens publicly. JWT decoding happens client-side in your browser.

📖 How to Use

Paste your JWT token in the input field (format: header.payload.signature)
The tool automatically decodes and displays three sections:
- Header - Token metadata (algorithm, type)
- Payload - Claims and user data
- Signature - Verification hash
Click "Copy" on any section to copy its content
Click "Load Example" to see a sample JWT token
Review the security notice - never share production tokens publicly

About the JWT Debugger

The JWT Debugger is a free, browser-based utility for decoding and inspecting JSON Web Tokens (JWTs). Whether you're debugging authentication issues, inspecting API tokens, or learning about JWT structure, this tool provides instant visualization of JWT headers, payloads, and signatures. All decoding happens locally in your browser, ensuring your tokens remain private and secure. Perfect for developers working with OAuth, API authentication, session management, and microservices architectures.

Key Features:

Instant JWT decoding with automatic structure detection
Color-coded display of header, payload, and signature sections
100% client-side processing - your tokens never leave your browser
JSON syntax highlighting for easy reading and debugging
Individual copy buttons for each JWT section
Token structure validation with error detection

Common Use Cases:

Authentication Debugging: Inspect access tokens and refresh tokens to verify claims, expiration times, and permissions
API Integration: Debug JWT tokens used in API authentication headers to ensure correct format and claims
Security Audits: Review JWT token contents to identify over-privileged claims or unnecessary data exposure
Token Expiration: Check "exp" and "iat" claims to debug token expiration and refresh issues
Learning & Education: Understand JWT structure and how different signing algorithms work

JWT Examples & Common Patterns

Standard JWT Token Structure

// Full JWT Token (3 parts separated by dots):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

// Header (Base64URL decoded):
{
  "alg": "HS256",
  "typ": "JWT"
}

// Payload (Base64URL decoded):
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Use case: Basic JWT token with minimal claims for user identification

Access Token with Expiration

// Payload with standard claims:
{
  "sub": "user-123",
  "email": "[email protected]",
  "role": "admin",
  "iat": 1640000000,
  "exp": 1640003600,  // Expires in 1 hour
  "iss": "https://api.example.com",
  "aud": "https://app.example.com"
}

Use case: Short-lived access token with user info and expiration for API authentication

Authorization Header Usage

// HTTP Request with JWT:
GET /api/user/profile
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

// JavaScript Fetch:
fetch('/api/user/profile', {
  headers: {
    'Authorization': `Bearer ${token}`
  }
});

Use case: Sending JWT tokens in API requests using the Bearer authentication scheme

Refresh Token Pattern

// Access Token (short-lived: 15 minutes):
{
  "sub": "user-123",
  "type": "access",
  "exp": 1640001500
}

// Refresh Token (long-lived: 7 days):
{
  "sub": "user-123",
  "type": "refresh",
  "exp": 1640604800,
  "jti": "unique-token-id"
}

Use case: Implementing secure token refresh mechanism with separate access and refresh tokens

RS256 (RSA) Token Header

// Header with RSA algorithm:
{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "key-id-2024-01"  // Key ID for rotation
}

// Requires public/private key pair
// Public key verifies, private key signs

Use case: Production-grade tokens with asymmetric encryption and key rotation support

Custom Claims & Permissions

{
  "sub": "user-123",
  "email": "[email protected]",
  "roles": ["admin", "moderator"],
  "permissions": ["read:users", "write:posts", "delete:comments"],
  "organization": "acme-corp",
  "iat": 1640000000,
  "exp": 1640003600
}

Use case: Role-based access control (RBAC) with granular permissions for multi-tenant applications

❓ Frequently Asked Questions

What is a JWT token and how does it work?

JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm, the payload contains claims (user data), and the signature ensures the token hasn't been tampered with. JWTs are commonly used for stateless authentication in modern web applications and APIs.

How do I debug a JWT token with this tool?

Simply paste your JWT token into the input field and the tool will automatically decode and display the header, payload, and signature in separate color-coded sections. Each section shows the decoded JSON data with syntax highlighting. You can copy each section individually for further inspection or debugging. The tool also validates the token structure and shows errors for malformed tokens.

Does this tool verify JWT signatures?

No, this tool only decodes JWT tokens and displays their contents. It does NOT verify signatures. Signature verification requires the secret key (for HMAC algorithms like HS256) or public key (for RSA algorithms like RS256) and should always be done server-side for security. Never share production JWT tokens or signing keys publicly. This tool is for debugging and inspection only.

What information is in the JWT header?

The JWT header typically contains two fields: "typ" (token type, usually "JWT") and "alg" (signing algorithm like "HS256", "RS256", "ES256"). This metadata tells applications how to process and verify the token. For example, {"alg":"HS256","typ":"JWT"} indicates an HMAC SHA-256 signed JWT token.

What information is in the JWT payload?

The JWT payload contains the claims - statements about the user and additional data. Standard registered claims include "iss" (issuer), "sub" (subject/user ID), "aud" (audience), "exp" (expiration timestamp), "nbf" (not before), "iat" (issued at), and "jti" (JWT ID). You can also include custom claims like user roles, permissions, email, or any application-specific data.

Is it safe to decode my JWT tokens with this tool?

Yes, all JWT decoding happens entirely in your browser using client-side JavaScript. Your tokens never leave your device or get sent to any server. We don't log, store, or track any data. However, remember that JWT tokens are not encrypted - they're only Base64 encoded. Anyone with the token can decode and read its contents. Only signature verification (which requires the secret key) prevents tampering.

What are the common JWT signing algorithms?

Common algorithms include: HS256 (HMAC SHA-256, symmetric key), HS384 (HMAC SHA-384), HS512 (HMAC SHA-512), RS256 (RSA SHA-256, asymmetric), RS384, RS512, ES256 (ECDSA SHA-256), ES384, ES512. HMAC algorithms use the same secret for signing and verification, while RSA and ECDSA use public/private key pairs. RS256 is recommended for most production applications.

How long should JWT tokens be valid?

Short-lived access tokens (5-15 minutes) are recommended for security. Use refresh tokens (hours to days) to obtain new access tokens without requiring re-authentication. The "exp" claim in the payload defines the expiration timestamp. Always validate token expiration server-side and implement proper token refresh mechanisms.