JWT Debugger

Developer

Decode and inspect JSON Web Tokens instantly. View JWT header, payload, and signature for debugging authentication systems.

Header

{}

Payload

{}

Signature

Signature verified on server

What is This Tool?

A JWT debugger decodes, verifies, and generates JSON Web Tokens. Paste a JWT to inspect its header, payload, and signature. Generate new tokens with custom claims, expiration times, and signing algorithms (HS256, RS256, ES256) for testing authentication systems.

JWTs consist of three Base64url-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm, the payload contains claims (iss, sub, exp, etc.), and the signature prevents tampering. JWTs are the standard for stateless authentication in modern web applications.

Common Use Cases

Auth Debugging

Decode JWTs from Authorization headers to inspect claims, expiration times, scopes, and roles for debugging auth issues.

Token Generation

Generate test JWTs with custom claims for testing protected API endpoints, middleware, and authorization logic.

Signature Verification

Verify JWT signatures using shared secrets (HS256) or public keys (RS256/ES256) to detect tampering.

Security Auditing

Inspect token lifetime, audience restrictions, and claim contents for security review and compliance.

Frequently Asked Questions

Is JWT decoding the same as decryption?

No. JWT payloads are Base64url-encoded, not encrypted. Anyone can read the claims. The signature prevents modification, not reading. Use JWE for encrypted tokens.

What is the difference between HS256 and RS256?

HS256 uses a shared secret (symmetric) — both parties need the secret. RS256 uses RSA key pairs (asymmetric) — sign with private key, verify with public key.

How long should JWTs be valid?

Access tokens: 5-60 minutes. Refresh tokens: days to weeks. Shorter lifetimes limit damage from stolen tokens.