JWT Debugger

Decode, inspect, and verify JSON Web Tokens (JWT) locally.

Runs 100% in your browser — your data never leaves this device

Encoded JWT Token

Header (Algorithm & Token Type)

...

Payload (Data)

...

Verify Signature

Provide a valid token first.

What is JWT Debugger?

The JWT Debugger is a client-side tool that allows you to paste a JSON Web Token (JWT) and instantly view its decoded Header and Payload datasets. It also includes a signature verification engine that can validate standard HMAC (HS256, HS384, HS512) signatures directly in your browser.

How to Use JWT Debugger

1. Paste your JWT string (typically starting with 'eyJ...') into the input box. 2. The Header and Payload will automatically decode and display in color-coded JSON formats. 3. The Expiry badge will instantly show whether the token has expired. 4. If you have the secret key, paste it into the "Verify Signature" box to check if the token's signature matches its contents.

Common Use Cases

Inspecting authorization tokens returned by OAuth/OIDC login providers.
Verifying that the correct claims (like user ID or roles) are encoded within a token.
Troubleshooting "Invalid Signature" errors by explicitly verifying the token against the known server secret.
Checking token expiration dates and timestamps in a human-readable format.

Frequently Asked Questions

Is my JWT sent to a server?

No. All decoding and signature verification mapping happens exclusively inside your browser using JavaScript and the native Web Crypto API. Your tokens and secrets are 100% private and never leave your device.

What signature algorithms can it verify?

This tool currently supports standard symmetric HMAC algorithms: HS256, HS384, and HS512. Asymmetric RSA/ECDSA verification is not yet supported in this version.

What happens if a token is expired?

The debugger will still successfully decode and display the contents, but it will clearly flag the status as "Expired" using the "exp" payload claim.

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is JWT Debugger?

How to Use JWT Debugger

Common Use Cases

Inspecting authorization tokens returned by OAuth/OIDC login providers.
Verifying that the correct claims (like user ID or roles) are encoded within a token.
Troubleshooting "Invalid Signature" errors by explicitly verifying the token against the known server secret.
Checking token expiration dates and timestamps in a human-readable format.

Frequently Asked Questions

Is my JWT sent to a server?

What signature algorithms can it verify?

This tool currently supports standard symmetric HMAC algorithms: HS256, HS384, and HS512. Asymmetric RSA/ECDSA verification is not yet supported in this version.

What happens if a token is expired?

The debugger will still successfully decode and display the contents, but it will clearly flag the status as "Expired" using the "exp" payload claim.

Related Tools

JWT Decoder

Decode and inspect JSON Web Tokens (JWT) without validation.

Cron Expression Generator

Build cron schedule expressions visually.

HTTP Status Code Lookup

Quick reference for all HTTP status codes.

User Agent Parser

Parse and analyze user agent strings.

SQL Formatter

Format and beautify SQL queries.

What is JWT Debugger?

How to Use JWT Debugger

Common Use Cases

Inspecting authorization tokens returned by OAuth/OIDC login providers.
Verifying that the correct claims (like user ID or roles) are encoded within a token.
Troubleshooting "Invalid Signature" errors by explicitly verifying the token against the known server secret.
Checking token expiration dates and timestamps in a human-readable format.

Frequently Asked Questions

Is my JWT sent to a server?

What signature algorithms can it verify?

This tool currently supports standard symmetric HMAC algorithms: HS256, HS384, and HS512. Asymmetric RSA/ECDSA verification is not yet supported in this version.

What happens if a token is expired?

The debugger will still successfully decode and display the contents, but it will clearly flag the status as "Expired" using the "exp" payload claim.