JWT Decoder & Debugger
Decode and debug JSON Web Tokens — inspect header, payload, and signature with claim explanations, HMAC signature verification, and live expiry calculations.
How to Use This Tool
- 1
Paste your JWT (the three-part dot-separated string) into the input field. The Bearer prefix is stripped automatically.
- 2
The debugger instantly splits and displays the header, payload, and signature with syntax-highlighted JSON.
- 3
Hover or tap any recognised claim name (like sub, exp, iss) to see a plain-English explanation of what it means.
- 4
Check the Token Status panel for live expiry calculations — time remaining, token lifetime, and whether the token is currently valid.
- 5
Optionally enter your HMAC secret key to verify the signature for HS256, HS384, or HS512 tokens.
What is JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519 that is widely used for authentication and information exchange between parties. A JWT consists of three Base64URL-encoded sections separated by dots: a header that describes the token type and signing algorithm, a payload that contains claims (statements about a user or system), and a signature used to verify the token has not been tampered with.
JWTs are stateless — the server does not need to look up a session in a database to authenticate a request. Instead, it verifies the signature using a secret or public key, trusts the payload if the signature is valid, and uses claims like sub (subject/user ID), exp (expiry timestamp), iss (issuer), and aud (audience) to make authorization decisions. This makes JWTs popular in microservice architectures and single-page applications that communicate with APIs.
Decoding a JWT is not the same as verifying one. Our debugger shows you what's inside the header and payload — the algorithm used, the user ID, roles, expiry time — and explains what each claim means. For HMAC-signed tokens (HS256, HS384, HS512), you can optionally enter your secret key to verify the signature right in the browser. All processing runs locally — your token and secret never leave your machine.
Frequently Asked Questions
helpIs decoding a JWT the same as verifying it?
No. Decoding only reads the Base64URL-encoded header and payload — anyone can do this without the signing secret. Verification checks the cryptographic signature to confirm the token was issued by a trusted party and has not been modified. Never trust a decoded JWT's claims without verifying the signature in your application.
helpIs my token sent to a server?
No. All decoding, claim analysis, and signature verification runs entirely in your browser using JavaScript and the Web Crypto API. Your JWT and secret key are never transmitted to any server.
helpWhat are the most common JWT claims?
Standard claims defined in RFC 7519 include: sub (subject — typically a user ID), iss (issuer — who created the token), aud (audience — who the token is intended for), exp (expiration time), iat (issued at), and nbf (not before). Applications often add private claims for roles, permissions, and other user attributes.
helpCan this tool verify RSA or ECDSA signatures?
Currently, signature verification supports HMAC algorithms (HS256, HS384, HS512) which use a shared secret key. RSA and ECDSA verification requires a public key in PEM or JWK format — this may be added in a future update. For now, the tool decodes and displays all token types regardless of algorithm.
helpWhy does my JWT have three parts separated by dots?
The three parts are the header, payload, and signature — each independently Base64URL-encoded. The header describes the token type (JWT) and signing algorithm (e.g., HS256 or RS256). The payload holds claims. The signature is a cryptographic hash of the first two parts, produced using a secret key to prevent tampering.