Decode and analyze JSON Web Tokens with detailed inspection and validation
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties. They consist of three parts: header, payload, and signature, separated by dots.
JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification). JWTs are commonly used for authentication and information exchange in web applications and APIs.
To decode a JWT: 1) Copy your JWT token, 2) Paste it into the input field, 3) Click 'Decode Token' or the token will auto-decode. The tool will display the Header (algorithm, type), Payload (all claims including user data, expiration), and Signature. You can switch between tabs to view each section in detail.
A JWT payload contains claims - statements about an entity (typically the user) and additional data. Common standard claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), iat (issued at time), nbf (not before time), and jti (JWT ID). Custom claims can also be added for application-specific data.
Our JWT debugger automatically checks the 'exp' (expiration) claim in the payload and compares it to the current time. If expired, you'll see a clear 'Expired' indicator. For valid tokens, the tool shows the time remaining until expiration. The expiration timestamp is also displayed in human-readable format.
This tool decodes and displays the JWT signature but does not cryptographically verify it (signature verification requires the secret key or public key). The tool shows the signature value and algorithm used (HS256, RS256, etc.). For actual signature verification, you need the signing key on your server.
Yes! All JWT decoding happens locally in your browser using JavaScript. Your tokens are never uploaded to our servers or transmitted anywhere. However, be cautious with production tokens containing sensitive data - only use this tool with tokens you're comfortable processing client-side.
The tool can decode JWTs signed with any algorithm including HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), and PS256, PS384, PS512 (RSA-PSS). The algorithm is displayed in the Header section after decoding.
Yes! Click the 'Upload' button to select a text file containing your JWT token. The tool supports .txt and .jwt file formats. After uploading, the token will be automatically decoded and analyzed.