A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It is commonly used for authentication and authorization in web applications. A JWT consists of three parts separated by dots: the Header, the Payload, and the Signature.
The Header specifies the token type and signing algorithm (e.g., HS256, RS256). The Payloadcontains claims — statements about an entity (typically the user) and additional metadata. Common claims include "sub" (subject), "iat" (issued at), "exp" (expiration), and "role" (user role). The Signatureis used to verify the token's integrity but is not decoded by this tool.
This debugger decodes the Header and Payload locally in your browser without sending the token to any server. It also interprets common time-based claims (iat, exp, nbf) and shows their human-readable dates. Remember: anyone can decode a JWT, so never store sensitive data in the payload. The security of a JWT relies on the signature, which ensures the token has not been tampered with.
What Is a JSON Web Token (JWT)?
A JSON Web Token is a compact, self-contained way to securely transmit information between two parties as a JSON object. When you log in to a web application, the server typically issues a JWT that your browser stores and sends with every subsequent request. The server uses the token to verify who you are without checking a database on every single request — the token itself carries that information.
JWTs look like a long string of random characters but are actually three Base64URL-encoded sections separated by dots: header.payload.signature. This debugger splits the token and decodes each section so you can read the actual JSON inside.
The Three Parts of a JWT
- Header — Contains the token type (
JWT) and the signing algorithm used, such asHS256(HMAC-SHA256) orRS256(RSA). - Payload — Contains the claims: pieces of information about the user or session. Standard claims include
sub(subject/user ID),iat(issued at timestamp),exp(expiration timestamp), andiss(issuer). Applications add custom claims for roles, permissions, and other data. - Signature — Created by signing the header and payload with a secret key. Verifying the signature confirms the token has not been tampered with since it was issued.
Common JWT Debugging Scenarios
- Token expired — Check the
expclaim. If it is in the past, the token is no longer valid. - Wrong user permissions — Check the
rolesorscopeclaims in the payload. - Authentication failing — Verify the
iss(issuer) andaud(audience) claims match what the server expects. - Token not yet valid — Some tokens have an
nbf(not before) claim that prevents use before a specific time.
Important: JWT payloads are Base64URL encoded, not encrypted. Anyone with the token can read the payload. Never store sensitive data like passwords or payment information in a JWT payload. Use JWE (JSON Web Encryption) if you need the payload to be private.
Is It Safe to Paste a JWT Into a Debugger?
This debugger runs entirely in your browser. Your token is decoded using JavaScript on your device and is never transmitted to any server. You can verify this by opening your browser's network tab while using the tool — no outbound requests are made.
For production tokens that grant administrative access or contain sensitive claims, still exercise caution. Rotate the token after inspection if there is any concern about its exposure.
Knowledge Base
The JWT Debugger decodes and inspects JSON Web Tokens locally, displaying the Header, Payload, and Signature sections in a readable format. It also interprets time-based claims like expiration and issued-at timestamps.
- 1Paste your JWT token into the input field.
- 2View the decoded Header and Payload sections with formatted JSON.
- 3Check time claims (iat, exp, nbf) for expiration status.
JWT decoding happens entirely in your browser with no server communication. Your tokens — which may contain sensitive authentication data — never leave your device, and decoding is instant with complete privacy.
Does this tool validate JWT signatures?
This tool decodes JWT tokens to display the header and payload. It does not verify signatures since that requires the secret key. It's designed for quick debugging and inspection of token contents.
Are my tokens sent to any server?
No. JWT decoding happens entirely in your browser using Base64 decoding. Your tokens never leave your device, making it safe to debug tokens containing sensitive authentication data.