JWT Debugger
Decode, inspect, and verify JSON Web Tokens (JWT) locally.
Last updated: March 26, 2026
Used 26K+ timesWhat users say
“The algorithm confusion attack FAQ is something I've never seen in another JWT tool. Decodes tokens instantly and the expiry badge saves me from manually converting Unix timestamps.”
Find this tool useful? Support the project to keep it free!
Buy me a coffeeWhat is JWT Debugger?
A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519 used to securely transmit claims between parties. Every JWT consists of three Base64URL-encoded segments separated by dots: a **Header** (algorithm and token type), a **Payload** (the claims — user ID, roles, expiry, issuer), and a **Signature** (cryptographic proof the token was not tampered with). Because the header and payload are only encoded — not encrypted — they can be decoded by anyone who holds the token. The signature is what makes JWTs trustworthy.
This debugger decodes any JWT instantly in your browser and verifies HMAC signatures (HS256, HS384, HS512) without sending your token or secret to any server. It surfaces the most security-relevant information at a glance: the signing algorithm, expiry time, issued-at timestamp, issuer, audience, and all custom claims. This is the fastest way to understand what a JWT actually contains and whether its signature is valid against a known secret.
How to Use JWT Debugger
Paste your JWT string (typically starting with "eyJ...") into the input box — the Header and Payload decode instantly
Review the color-coded JSON panels: Header shows the algorithm (alg) and type (typ); Payload shows all claims
Check the Expiry badge — it shows "Valid", "Expired", or "No expiry set" based on the "exp" claim and current time
If you have the HMAC secret key, paste it into the "Verify Signature" field — a green checkmark confirms the token is untampered
Click any claim value to copy it to your clipboard for use in debugging or API testing
Common Use Cases
- Inspecting authorization tokens returned by OAuth/OIDC login providers (Auth0, Okta, AWS Cognito)
- Verifying that the correct claims (user ID, roles, permissions) are encoded in a token before debugging an access issue
- Troubleshooting "Invalid Signature" errors by verifying the token against the known server HMAC secret
- Checking token expiration — converting the "exp" Unix timestamp to a human-readable date to confirm when a session expires
- Debugging expired session tokens in a Node.js/Express or Next.js API middleware that returns 401 Unauthorized
- Verifying the correct "iss" (issuer) and "aud" (audience) claims in an OAuth 2.0 or OIDC flow
- Inspecting tokens intercepted from mobile app API calls using Charles Proxy or Proxyman during local development
- Validating tokens from third-party identity providers (Firebase Auth, Supabase, Clerk) to confirm claim structure
Example Input and Output
Decoding a typical HS256 access token — the three dot-separated segments become readable JSON claims:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJBbGljZSBTbWl0aCIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwNjc0NTYwMCwiZXhwIjoxNzA2ODMyMDAwfQ
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cHeader:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
{
"sub": "user_123",
"name": "Alice Smith",
"role": "admin",
"iat": 1706745600, → Thu Feb 01 2024 00:00:00 UTC (issued at)
"exp": 1706832000 → Fri Feb 02 2024 00:00:00 UTC (expires)
}
Status: ✅ Valid (expires in 23h 59m)
Algorithm: HS256 (HMAC-SHA256)
Signature: ✅ Verified (secret matched)Privacy Guarantee
Your JWT and HMAC secret are never transmitted. All decoding and cryptographic verification runs in your browser using the Web Crypto API (crypto.subtle). No network request is made. Close the tab and the token is gone — nothing is stored in localStorage or cookies.
HS256 vs RS256 Limitation
This tool verifies HMAC (HS256/384/512) signatures only — you need the shared secret. For RS256/ES256 tokens (issued by Auth0, Okta, AWS Cognito, Firebase), the token can be decoded but signature verification requires the issuer's public key from their JWKS endpoint (e.g., https://your-domain.auth0.com/.well-known/jwks.json). Use the jwt.io debugger for RSA/ECDSA verification.
Security Warning
Never put production user JWTs containing PII (names, emails, roles) into any online tool — including this one. For production debugging, use tokens from a test user or a staging environment. If you must inspect a production token, do it locally using a JWT library in Node.js: const decoded = jwt.decode(token, { complete: true }) — no network involved.
Frequently Asked Questions
Is my JWT sent to a server when I paste it here?
What signature algorithms can this tool verify?
What happens if a token is expired?
What are the standard JWT claims and what do they mean?
What is the difference between HS256 and RS256?
Can I decode a JWT without the secret key?
What is an algorithm confusion attack?
How This Tool Works
A JWT is three Base64URL-encoded segments joined by dots: header.payload.signature. The tool splits the token at the dots, applies Base64URL decoding (padding-safe, replacing - with + and _ with /), and JSON.parse()s the first two parts. The exp and iat claims are converted from Unix timestamps to human-readable dates using new Date(claim * 1000). Signature verification uses the browser's native Web Crypto API — the HMAC secret is imported as a CryptoKey with crypto.subtle.importKey(), then crypto.subtle.verify() is called with the algorithm from the header against the original encoded "header.payload" bytes. This is cryptographically identical to what a production server does, so a match here confirms the token is authentic and untampered.
Technical Stack
Security and Auth Workflow
Generate safer credentials, inspect tokens, verify signatures, and compare hash outputs from the same family.