JWT Decoder & Debugger

What is JWT Decoder & Debugger?

JWT Decoder is a free online tool for decoding, inspecting, and debugging JWT (JSON Web Token) tokens. It allows you to decode headers and payloads, verify HS256 signatures, and perform automated security audits. Inspect critical token claims like expiration time (exp), issuer (iss), and subject (sub) with ease. Ideal for developers debugging authentication flows or verifying API token integrity.

Whether you're investigating authentication issues, auditing token security, or learning about the JWT standard, our tool provides a comprehensive, 100% client-side solution. No data ever leaves your browser.

1. Security Analysis (Alpha)

Our tool now automatically performs a security audit on your token:

• Algorithm Check: Detects if alg: "none" is used (major vulnerability).
• Expiration Audit: Identifies long-lived tokens that may be security risks.
• Sensitive Data Scan: Warns if fields like password or secret are found in the payload.
• Encryption Type: Identifies if the token uses Symmetric or Asymmetric encryption.

2. Implementation Guide

Need to verify this token in your backend? Simply click the "Code" tab to get production-ready snippets for:

• Node.js (jsonwebtoken)
• Python (PyJWT)
• Go (golang-jwt)

How to use JWT Decoder?

Decode a JWT Token

To decode a JWT:

1. Paste your JWT token in the input field.
2. Review Security Analysis at the top for any potential issues.
3. Inspect Claims with detailed tooltips explaining each standard claim.
4. View decoded content automatically displayed in the Header, Payload, or Signature tabs.
5. Get Implementation Snippets from the Code tab for your backend.

Understanding JWT Parts

JWT consists of 3 parts separated by dots (.):

• Header: Token type and signing algorithm
• Payload: Claims and user data
• Signature: Cryptographic signature for verification

Features

• Security Analysis - Automatic detection of vulnerabilities (None algorithm, long-lived tokens, etc.)
• Implementation Guide - Get code snippets for Node.js, Python, and Go to verify your tokens.
• Smart Countdown - Real-time countdown for token expiration.
• Instant Decoding - Decode JWT as you paste.
• Detailed Claim Explanations - Hover over claims to understand their purpose (iss, sub, aud, etc.).
• Three-part Display - View header, payload, and signature separately.
• Token Information - See expiration, issuer, subject, and unique JWT IDs.
• Expiration Check - Automatic validation of token expiry with visual badges.
• Pretty JSON - Formatted JSON output with syntax highlighting for readability.
• Copy to Clipboard - Copy decoded parts or implementation code easily.
• Dark Theme Support - High-quality aesthetics for both light and dark modes.
• Privacy First - 100% client-side only; your tokens never leave your browser.

Use Cases

1. Debug Authentication Tokens

Inspect JWT from login responses:

Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

2. Check Token Expiration

See if your token is still valid:

Payload with expiration:

{
  "sub": "user123",
  "exp": 1735689600,
  "iat": 1735603200
}

Tool shows:

• Expires: Dec 31, 2024 5:00:00 PM
• Badge: "Expired" or "Valid"

3. Inspect API Tokens

Decode tokens from API responses:

Example OAuth token:

{
  "iss": "https://auth.example.com",
  "sub": "user@example.com",
  "aud": "api.example.com",
  "exp": 1735689600,
  "iat": 1735603200,
  "scope": ["read", "write"]
}

4. Verify Token Claims

Check custom claims in your JWT:

Custom claims:

{
  "userId": "12345",
  "role": "admin",
  "permissions": ["read", "write", "delete"],
  "tenant": "company-a"
}

5. Learn JWT Structure

Understand how JWTs work:

Header tells the algorithm:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "key-id-1"
}

Payload contains data:

{
  "sub": "user",
  "name": "John",
  "admin": true
}

Signature verifies authenticity (not decoded)

Understanding JWT

What is JWT?

JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It's commonly used for:

• Authentication - User login sessions
• Authorization - Access control and permissions
• Information exchange - Secure data transfer

JWT Structure

A JWT consists of three Base64-encoded parts separated by dots:

xxxxx.yyyyy.zzzzz

Format:

header.payload.signature

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

The header typically contains:

• alg: Signing algorithm (e.g., HS256, RS256)
• typ: Token type (usually "JWT")

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload (Claims)

The payload contains claims about the user and metadata:

Standard claims:

• iss (issuer): Who issued the token
• sub (subject): Subject identifier (usually user ID)
• aud (audience): Intended recipient
• exp (expiration): When the token expires (Unix timestamp)
• iat (issued at): When the token was created
• nbf (not before): Token not valid before this time

Example:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022,
  "exp": 1516242622
}

Custom claims: You can add any custom claims for your application:

{
  "userId": "user123",
  "role": "admin",
  "permissions": ["read", "write"]
}

Signature

The signature is created by:

1. Taking encoded header and payload
2. Signing with secret key or private key
3. Using algorithm specified in header

Purpose:

• Verify token hasn't been tampered with
• Verify sender is who they claim to be

Note: This tool supports HS256 signature verification directly in the browser. Simply provide your secret key in the Signature tab to verify token integrity. RSA/ECDSA support is coming soon.

Common JWT Algorithms

Symmetric (HMAC)

HS256 - HMAC with SHA-256

• Uses same secret key for signing and verification
• Fast and simple
• Both parties must know the secret

HS384 - HMAC with SHA-384 HS512 - HMAC with SHA-512

Asymmetric (RSA)

RS256 - RSA with SHA-256

• Uses private key to sign, public key to verify
• More secure for public APIs
• Slower than HMAC

RS384 - RSA with SHA-384 RS512 - RSA with SHA-512

Asymmetric (ECDSA)

ES256 - ECDSA with SHA-256

• Uses elliptic curve cryptography
• Smaller keys, better performance than RSA
• Modern and secure

ES384 - ECDSA with SHA-384 ES512 - ECDSA with SHA-512

Token Validation

Expiration Check

Always check the exp claim:

{
  "exp": 1735689600
}

Convert to date:

new Date(exp * 1000); // Dec 31, 2024

If current time > expiration time, token is expired.

Not Before Check

Check the nbf claim:

{
  "nbf": 1735603200
}

Token is not valid before this time.

Issuer Verification

Verify the iss claim matches expected issuer:

{
  "iss": "https://auth.yourapp.com"
}

Audience Verification

Verify the aud claim matches your API:

{
  "aud": "https://api.yourapp.com"
}

Security Considerations

Never Trust Blindly

• Always verify signature on the server
• Check expiration before using token
• Validate issuer and audience claims
• Use HTTPS to transmit tokens

What This Tool Does NOT Do

• ❌ Verify signatures - Requires secret key
• ❌ Validate tokens - Only decodes content
• ❌ Store tokens - Everything stays in browser
• ❌ Send data to server - 100% client-side

Best Practices

1. Store tokens securely - Use httpOnly cookies
2. Use short expiration times - Reduce risk if token is stolen
3. Implement token refresh - Get new tokens without re-login
4. Use strong algorithms - RS256 or ES256 for production
5. Validate on server - Never trust client-side validation

Frequently Asked Questions

Q: Is it safe to paste my JWT token here?

A: Yes, this tool runs entirely in your browser. Your token never leaves your device or gets sent to any server.

Q: Why doesn't this tool verify signatures?

A: Actually, this tool does verify HS256 signatures! You can enter your HMAC secret in the Signature tab to verify the token's integrity locally. For RSA or ECDSA (asymmetric) algorithms, verification requires public/private keys which we are planning to support in the future. For now, you can use the implementation snippets provided to verify them on your server.

Q: What does "Expired" mean?

A: The token's expiration time (exp claim) is in the past. The token should not be accepted by servers.

Q: Can I decode tokens from any provider?

A: Yes, this tool decodes standard JWT tokens from any provider (Auth0, Firebase, custom, etc.).

Q: What if my token has only 2 parts?

A: That's not a valid JWT. JWTs must have exactly 3 parts: header, payload, and signature.

Q: Can I see what algorithm was used?

A: Yes, check the "alg" field in the Header tab.

Q: What does the signature look like decoded?

A: The signature is binary data and isn't meant to be decoded. It's kept in base64-encoded form.

Privacy & Security

Your privacy is important to us:

• No data is sent to any server
• All decoding happens in your browser
• No cookies or tracking
• No account or login required
• Completely free to use