JWT Debugger – Decode JSON Web Tokens Instantly
Paste a JWT to decode the header, payload, and signature. 100% client‑side, zero data transmission. Perfect for developers debugging authentication tokens.
Header (Algorithm & Type)
Payload (Data / Claims)
Signature (Verify only)
What is a JWT (JSON Web Token)?
JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact, URL‑safe way to transmit information between parties as a JSON object. JWTs are digitally signed, so they can be verified and trusted. They are commonly used for authentication (after login, the server returns a JWT that the client includes in subsequent requests) and authorization (access control).
A JWT consists of three parts separated by dots: header, payload, and signature. Each part is Base64Url‑encoded. This tool decodes the header and payload so you can inspect the claims (like user ID, expiration time, issuer) without needing the secret key.
Structure of a JWT
Header
The header typically consists of two fields: the signing algorithm (e.g., HS256, RS256) and the token type (JWT). For example: {"alg": "HS256", "typ": "JWT"}. This part tells the verifier how to verify the signature.
Payload
The payload contains the claims – statements about an entity (usually the user) and additional metadata. Registered claims include: iss (issuer), exp (expiration time), sub (subject), aud (audience), iat (issued at), and nbf (not before). Public and private claims can be any custom JSON keys.
Signature
The signature is created by taking the encoded header, encoded payload, a secret, and the algorithm specified in the header. It ensures that the token hasn’t been altered. This tool does not verify the signature because that would require the secret key – we never ask for it.
How to Use This JWT Debugger
Simply paste any JWT string into the text area. Click “Decode JWT” – the decoded header and payload will appear as formatted JSON. You can also copy the payload to your clipboard or share the token (via Web Share API) for debugging with colleagues. All processing stays in your browser; your token never leaves your device.
If the token is invalid (wrong format, corrupted base64, or JSON syntax errors), the tool will show an error message. The example token provided is a standard sample JWT used in documentation.
Security and Privacy
Many online JWT decoders send your token to a remote server for decoding. That is a serious security risk because JWTs often contain session IDs, user emails, or even API keys. Our JWT debugger runs entirely in your browser using JavaScript. No data is transmitted. You can even disconnect from the internet after the page loads, and the tool will still work. This makes it safe to use with production tokens.
Common JWT Claims Explained
iss(Issuer) – who created the token.sub(Subject) – the user or entity the token refers to (often a user ID).aud(Audience) – the intended recipient of the token.exp(Expiration Time) – timestamp after which the token is invalid.iat(Issued At) – when the token was issued.nbf(Not Before) – earliest time the token can be accepted.jti(JWT ID) – unique identifier to prevent replay attacks.
When you decode a token, check the exp claim – if it’s in the past, the token is expired and should be refreshed.
Why Developers Need a JWT Debugger
During API development, you often receive JWTs from identity providers (Auth0, Firebase, custom backends). Inspecting the token content is essential to verify that the correct user information is included, that expiration times are set correctly, and that custom claims are present. Without a debugger, you would have to manually decode the base64 parts or write code – this tool saves time and reduces errors.