JWT Debugger

A JWT is a compact, URL-safe token format defined in RFC 7519 for securely transmitting claims between parties. It consists of three Base64URL-encoded parts separated by dots: a header specifying the algorithm and token type, a payload containing claims (such as sub, iat, exp, and custom fields), and a cryptographic signature that ensures integrity. JWTs are widely used in OAuth 2.0 authorization flows, OpenID Connect identity layers, and API authentication schemes. Unlike traditional session-based authentication where the server stores session state, JWTs enable stateless authentication because all the necessary information is embedded in the token itself. This makes them particularly efficient in distributed microservice architectures where multiple services need to validate requests independently without querying a central session store.

Paste your JWT into the encoded token field at the top of the page. The header and payload are decoded from Base64URL and displayed instantly in separate editable panels. Decoding simply means reversing the Base64URL encoding to reveal the JSON content — it does not require a secret key, because the payload is encoded but not encrypted. This is an important distinction: anyone with access to a JWT can read its claims. Verification, on the other hand, uses a secret or public key to confirm the signature is valid and the token has not been tampered with. You can also edit the header or payload JSON directly and the encoded token will update in real time. To re-sign the modified token, enter your secret or private key and click the Sign button to generate a new valid signature.

Yes. All decoding, verification, and signing happens entirely in your browser using the Web Crypto API. No tokens, keys, or any other data are transmitted to any server — you can verify this by opening your browser's network tab and observing that no requests are made when you interact with the tool. This is a critical advantage over many server-side JWT debugging tools, which require you to send your token to a remote endpoint for processing. Sending production tokens to third-party servers creates a security risk because those tokens could be logged, intercepted, or misused. With this client-side tool, your sensitive tokens and signing keys never leave your machine. For additional peace of mind, the tool works fully offline once the page has loaded, so you can disconnect from the internet before pasting particularly sensitive tokens.

This tool supports four algorithm families: HMAC (HS256, HS384, HS512) uses a shared symmetric secret for both signing and verification, making it simple to set up but requiring both parties to possess the same key. RSA (RS256, RS384, RS512) uses asymmetric public/private key pairs with PKCS#1 v1.5 padding, allowing you to sign with a private key and verify with a widely distributed public key. ECDSA (ES256, ES384) uses elliptic curve cryptography to achieve equivalent security with significantly smaller key sizes, which reduces token overhead. RSA-PSS (PS256, PS384, PS512) is a probabilistic variant of RSA with stronger security proofs than PKCS#1 v1.5. For most applications, RS256 is recommended as it is the most widely supported algorithm across JWT libraries and identity providers.