JWT Debugger & Decoder

Decode and analyze JSON Web Tokens with detailed inspection and validation

Source Token

Length: 0

Technical documentation

Inside the anatomy of JSON Web Tokens (RFC 7519).

Structure overview

JWTs consist of three Base64URL encoded parts: Header, Payload, and Signature. They provide a stateless way to identify users and transmission permissions.

Primary Claims

  • exp — Token expiration safety check
  • sub — Principal subject identification
  • iss — Registered issuer authority

Session info

Local Processing

Tokens are decoded locally using client-side logic. Your sensitive keys and payloads never leave your browser.

Related Tools

Visual Cron Generator
Base64 Encoder/Decoder
JSON Formatter
Hash Generator
Encryption Tool
Password Generator
Regex Tester
HTML Editor
HTML Tag Stripper
URL Encoder/Decoder

Frequently Asked Questions

What is a JWT token?

JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification). JWTs are commonly used for authentication and information exchange in web applications and APIs.

How do I decode a JWT token?

To decode a JWT: 1) Copy your JWT token, 2) Paste it into the input field, 3) Click 'Decode Token' or the token will auto-decode. The tool will display the Header (algorithm, type), Payload (all claims including user data, expiration), and Signature. You can switch between tabs to view each section in detail.

What information is in a JWT payload?

A JWT payload contains claims - statements about an entity (typically the user) and additional data. Common standard claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), iat (issued at time), nbf (not before time), and jti (JWT ID). Custom claims can also be added for application-specific data.

How can I tell if a JWT token is expired?

Our JWT debugger automatically checks the 'exp' (expiration) claim in the payload and compares it to the current time. If expired, you'll see a clear 'Expired' indicator. For valid tokens, the tool shows the time remaining until expiration. The expiration timestamp is also displayed in human-readable format.

Can this tool verify JWT signatures?

This tool decodes and displays the JWT signature but does not cryptographically verify it (signature verification requires the secret key or public key). The tool shows the signature value and algorithm used (HS256, RS256, etc.). For actual signature verification, you need the signing key on your server.

Is it safe to paste my JWT token here?

Yes! All JWT decoding happens locally in your browser using JavaScript. Your tokens are never uploaded to our servers or transmitted anywhere. However, be cautious with production tokens containing sensitive data - only use this tool with tokens you're comfortable processing client-side.

What JWT algorithms are supported?

The tool can decode JWTs signed with any algorithm including HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), and PS256, PS384, PS512 (RSA-PSS). The algorithm is displayed in the Header section after decoding.

Can I debug JWT tokens from files?

Yes! Click the 'Upload' button to select a text file containing your JWT token. The tool supports .txt and .jwt file formats. After uploading, the token will be automatically decoded and analyzed.