What is a JWT Debugger?

A JWT Debugger is a tool that allows developers to decode a JSON Web Token to view its header and payload. It can also be used to verify the token's signature against a secret or public key to ensure it hasn't been tampered with.

Is this JWT tool safe to use with sensitive tokens?

Yes, this tool is 100% safe and private. All decoding and verification happens entirely within your web browser using JavaScript. Your token and secret are never sent to our servers.

Which signature algorithms can be verified?

This tool currently supports verification for HMAC-based algorithms like HS256, HS384, and HS512 using the Web Crypto API. Support for RSA and ECDSA algorithms is planned for future updates.

JWT Debugger - Decode & Verify JSON Web Tokens Online

Encoded Token

Verify Signature

Your Secret (HMAC) or Public Key (RSA/ECDSA)

Enter a token and secret to verify

Decoded Token

Header

{}

Payload

{}

Understanding JSON Web Tokens (JWT)

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

A JWT consists of three parts separated by dots (.):

Header: Typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Why Use This JWT Debugger?

Our tool allows you to quickly decode and inspect the contents of a JWT. More importantly, you can verify the signature to ensure that the token has not been tampered with. Since all operations happen in your browser, your sensitive tokens and secrets are never transmitted over the network, ensuring complete privacy.