JWT Debugger
Decode, verify and debug JSON Web Tokens. Paste your token to view its header and payload instantly.
Encoded Token
Header
Algorithm & Token Type
{}Payload
Data & Claims
{}Signature
Verified Signature
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
your-256-bit-secret
)
Built With Care
“JWTs are signed, not encrypted — the payload is readable by anyone. This tool decodes base64url segments locally so you can inspect claims like exp, iat, and sub before trusting a token.”
JWT Debugger
Decode and inspect JSON Web Tokens without sending them to a third-party server. Paste any JWT to see its header, payload, and signature structure laid out in a readable format.
- 1Copy a JWT from your browser's Authorization header or localStorage.
- 2Paste it into the input field — the tool decodes automatically.
- 3Read the header for the signing algorithm (alg) and token type (typ).
- 4Read the payload for claims like exp (expiration), sub (subject), and iat (issued at).
- 5The signature section is shown but not verified — you need the signing key for that.
- Automatic decoding as you type or paste — no submit button needed.
- Color-coded header and payload sections for quick visual scanning.
- Clipboard paste button for one-click token import.
- Client-side processing with instant header, payload, and signature decoding.
Real Ways People Use This
Debugging Auth Flows
Paste a token from your browser DevTools to verify which claims your backend expects and whether the token has expired.
Learning JWT Structure
See exactly how header, payload, and signature sections are encoded and separated by dots.
Inspecting Third-Party Tokens
Check what data is embedded in tokens from OAuth providers or APIs without needing their signing secret.
- This tool decodes but does not verify signatures. Anyone can forge a JWT payload if they know the structure.
- Expired tokens will still decode — check the exp claim manually to confirm validity.
- Tokens with non-standard encodings or malformed base64 may fail to decode.
- 1Confirm the token has exactly 3 dot-separated parts before pasting.
- 2Check the exp claim against the current time to verify the token hasn't expired.