What is JWT?
JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519 for securely transmitting claims between parties. A JWT consists of three Base64URL-encoded parts separated by dots: a header that specifies the signing algorithm (such as HS256 or RS256), a payload containing claims about the user or session, and a cryptographic signature that verifies the token has not been tampered with. JWTs are the backbone of modern authentication systems including OAuth 2.0 and OpenID Connect. They are used extensively in single sign-on (SSO), API authorization, and stateless session management.
How to Use This Tool
Paste your complete JWT string into the input field and click "Decode." The tool splits the token into its three segments, decodes the header and payload from Base64URL, and displays the parsed JSON in a readable format. You can inspect claims like "iss" (issuer), "exp" (expiration), "sub" (subject), and any custom claims your application includes. Each section has a copy button for quick transfer to your development environment.
Common Use Cases
- Debugging authentication issues by inspecting token claims, expiration times, and issuer values
- Verifying that OAuth 2.0 access tokens and ID tokens contain the expected scopes and audience
- Checking token expiration ("exp" claim) to troubleshoot session timeout problems in your application
- Reviewing custom claims added by identity providers like Auth0, Firebase Auth, or AWS Cognito
Why Use a Client-Side Tool?
JWT tokens often carry sensitive user information including email addresses, roles, permissions, and session identifiers. Pasting these tokens into server-based debuggers means sending your authentication data to a third party. Our JWT Debugger processes tokens entirely in your browser. The token is decoded locally using JavaScript, and no network requests are made. This makes it safe to inspect production tokens, debug authentication flows, and examine tokens from any identity provider without risking data exposure.
Frequently Asked Questions
Does this tool verify the JWT signature?
This tool decodes the header and payload for inspection purposes. Signature verification requires the secret key or public key used to sign the token, which should remain secure on your server. The tool focuses on letting you read and understand token contents quickly.
What do the "exp" and "iat" claims mean in a JWT?
The "exp" (expiration time) claim indicates when the token expires as a Unix timestamp. The "iat" (issued at) claim records when the token was created. Comparing these values helps you understand the token's lifetime and diagnose session-related issues.
Can I decode JWTs signed with different algorithms?
Yes. This tool decodes the Base64URL-encoded header and payload regardless of the signing algorithm. It works with tokens signed using HS256, HS384, HS512, RS256, RS384, RS512, ES256, and any other standard JWT algorithm.