Axonix Tools
Client-Side Decoder

JWT Debugger

Decode, verify and debug JSON Web Tokens. Paste your token to view its header and payload instantly.

Encoded Token

Header

Algorithm & Token Type

{}

Payload

Data & Claims

{}

Signature

Verified Signature

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
)

Built With Care

JWTs are signed, not encrypted — the payload is readable by anyone. This tool decodes base64url segments locally so you can inspect claims like exp, iat, and sub before trusting a token.

JWT Debugger

Decode and inspect JSON Web Tokens without sending them to a third-party server. Paste any JWT to see its header, payload, and signature structure laid out in a readable format.

No signup neededRuns offlineClient-side processing
How to Use JWT Debugger
  • 1Copy a JWT from your browser's Authorization header or localStorage.
  • 2Paste it into the input field — the tool decodes automatically.
  • 3Read the header for the signing algorithm (alg) and token type (typ).
  • 4Read the payload for claims like exp (expiration), sub (subject), and iat (issued at).
  • 5The signature section is shown but not verified — you need the signing key for that.
Key Features
  • Automatic decoding as you type or paste — no submit button needed.
  • Color-coded header and payload sections for quick visual scanning.
  • Clipboard paste button for one-click token import.
  • Client-side processing with instant header, payload, and signature decoding.

Real Ways People Use This

Debugging Auth Flows

Paste a token from your browser DevTools to verify which claims your backend expects and whether the token has expired.

Learning JWT Structure

See exactly how header, payload, and signature sections are encoded and separated by dots.

Inspecting Third-Party Tokens

Check what data is embedded in tokens from OAuth providers or APIs without needing their signing secret.

Important Notes
  • This tool decodes but does not verify signatures. Anyone can forge a JWT payload if they know the structure.
  • Expired tokens will still decode — check the exp claim manually to confirm validity.
  • Tokens with non-standard encodings or malformed base64 may fail to decode.
Quick Checklist
  • 1Confirm the token has exactly 3 dot-separated parts before pasting.
  • 2Check the exp claim against the current time to verify the token hasn't expired.

Questions That Usually Come Up

More Tools You’ll Actually Use