JWT Debugger

Decode, verify and debug JSON Web Tokens.

Encoded Token

Header

// Header

Payload

// Payload

What is a JSON Web Token?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe representation of claims between two parties. It is made of three Base64Url-encoded sections separated by dots: a header describing the signing algorithm, a payload of claims (such as the user ID, issue time, and expiry), and a signature computed over the first two parts (typically with a SHA-based HMAC). Servers issue JWTs after a successful login and clients send them back on subsequent requests to prove identity.

This debugger decodes the header and payload locally in your browser so you can inspect what a token actually contains. Decoding is not the same as verifying — anyone can read a JWT — but it is invaluable for understanding why an authentication call is failing or what an API gateway is forwarding downstream. Because the decode happens entirely client-side, it is safe to paste production tokens here.

Never put secrets in a JWT payload

The payload is only Base64-encoded, not encrypted. Anyone holding the token can read every claim. Passwords, API keys, and personally-identifiable information do not belong in unencrypted claims — keep them server-side and reference them by ID instead.

Reject tokens with "alg": "none"

A token whose header advertises alg: none has no signature. Historic JWT libraries would happily accept these, allowing an attacker to forge any payload. Modern libraries reject the algorithm by default — make sure yours is on a recent version, and always pin the expected algorithm explicitly when verifying.

How to use

  1. Paste a JWT (the long string with two dots) into the input field.
  2. The header and payload sections decode immediately and render as syntax-highlighted JSON.
  3. Read the standard claims: iss (issuer), sub (subject), exp (expiry), iat (issued-at), and any custom claims your service uses.
  4. If you need to verify the signature, copy the relevant section into your verification library along with the public key or shared secret.

Common use cases

  • Debugging "401 Unauthorized" responses by checking whether the token is expired or missing a required scope.
  • Inspecting the claims forwarded by an API gateway to backend services.
  • Confirming that an OAuth2 access token was issued by the correct authorization server.
  • Teaching new team members what is and isn't safe to put in a JWT payload.

Frequently asked questions

Is it safe to paste a real JWT here?

Yes. Decoding happens entirely in your browser; the token never leaves the page. That said, a JWT often grants access to user data — when in doubt, treat it like a password and rotate it after debugging.

Why does the header show "alg": "none"?

A token signed with the "none" algorithm is unsigned. This is almost always a configuration mistake or an attempted attack — production servers should reject "none" outright.

Does this verify the signature?

No. Verification requires the signing key, which we never want you to paste into a third-party tool. Use a server-side library like jsonwebtoken (Node), pyjwt (Python), or java-jwt (Java) for verification.

What should never go into a JWT?

Anything secret. The payload is only Base64-encoded, not encrypted, so passwords, API keys and personally-identifiable information should not be placed in unencrypted claims.

Related developer tools

Base64 EncoderEncode and decode Base64 stringsHash GeneratorCompute cryptographic hashesURL EncoderPercent-encode URL componentsJSON FormatterPretty-print decoded JWT payloads

Advertisement