Toolery

JWT Debugger

Decode and inspect JSON Web Tokens securely in your browser

Privacy Notice: All token decoding happens in your browser. No data is sent to any server.

How to Use

  1. Paste your JWT token into the textarea
  2. The token will be automatically decoded as you type
  3. View the decoded header, payload, and signature sections
  4. Check the expiration status to see if the token is still valid
  5. Read inline descriptions of common JWT claims
  6. Copy the decoded payload for further use

What is a JWT Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed using a secret (HMAC algorithm) or a public/private key pair (RSA or ECDSA). JWTs consist of three parts separated by dots: header.payload.signature. The header contains metadata about the token type and signing algorithm, the payload contains claims (statements about an entity and additional data), and the signature ensures the token hasn't been altered. JWTs are commonly used in authentication and authorization flows, particularly in OAuth 2.0, OpenID Connect, and single sign-on (SSO) systems. They're base64url-encoded, making them URL-safe and compact enough to be sent in HTTP headers, URL parameters, or POST request bodies.

How Our JWT Debugger Works

Our JWT debugger performs all decoding operations entirely in your browser using client-side JavaScript—no server calls are made, and your tokens never leave your device. When you paste a JWT token, the tool splits it by the dot delimiter into three segments (header, payload, signature), then base64url-decodes the header and payload sections to reveal the original JSON data. Base64url decoding is a URL-safe variant of base64 that replaces '+' with '-' and '/' with '_', and removes padding. The tool uses the jwt-decode library for robust payload parsing and automatically detects common JWT claims like exp (expiration), iat (issued at), and nbf (not before), converting Unix timestamps into human-readable dates. It's important to understand that decoding is not the same as verification—anyone can decode a JWT to read its contents, but only parties with the correct signing key can verify its authenticity. Our client-side approach ensures maximum privacy and security, making it safe to debug even sensitive development tokens.

Common Use Cases

  • Debugging authentication flows during development—quickly inspect tokens returned by authentication servers to verify claims and structure
  • Verifying token claims before making API calls—check that the token contains required scopes, audience, and hasn't expired
  • Checking token expiration during development—identify why API calls are failing by confirming if access tokens have expired
  • Inspecting OAuth tokens from identity providers—understand what data providers like Google, Auth0, or Okta include in their tokens
  • Validating JWT structure in CI/CD pipelines—ensure tokens generated by automated systems follow expected formats
  • Learning JWT structure for security education—understand how JWTs work by examining real examples from different systems
  • Troubleshooting single sign-on integrations—decode SAML responses converted to JWT format to diagnose SSO issues
  • Reviewing custom claims in multi-tenant applications—verify that tenant IDs, roles, and permissions are correctly encoded

Tips and Best Practices

  • Never paste production tokens containing real user data into online tools hosted by third parties—this tool is safe because it processes everything client-side, but not all JWT debuggers do
  • Always verify JWT signatures on the server side, not just decode them—decoding reveals the contents but doesn't prove authenticity
  • Set reasonable expiration times for different token types—15 minutes for access tokens, several days for refresh tokens—to balance security and user experience
  • Use the nbf (not before) claim to prevent tokens from being used before a specific time, useful for scheduled activation or clock skew handling
  • Rotate signing keys periodically and maintain a key rotation strategy to limit damage if a key is compromised
  • Include only necessary claims in JWTs to keep token size small—large tokens increase bandwidth usage and can exceed HTTP header size limits
  • Never store sensitive information like passwords or payment details in JWT payloads—they're easily decoded by anyone
  • Validate all claims on the server including issuer (iss), audience (aud), and expiration (exp) before trusting token contents
  • Use strong signing algorithms like RS256 (RSA with SHA-256) for production systems rather than symmetric algorithms like HS256 when possible