JWT Decoder & Debugger
Decode, inspect and verify JWT tokens — fast, private, no server upload.
▼ Header
▼ Payload
▶ Signature
JWT Example Payloads
Click any example below to load it into the decoder and see how different JWT tokens are structured. Each example demonstrates a specific use case or security scenario.
| Example | Description | Key Claims | Try |
|---|---|---|---|
| Basic Authentication | Standard user login token with common claims | sub, name, email, exp | |
| Expired Token | Token with past expiration — triggers expired warning | exp in the past | |
| alg:none (Insecure) | No signature algorithm — critical security risk | alg: "none" | |
| No Expiration | Service account token without exp — never expires | no exp, has scope | |
| Admin with Roles | RBAC token with role and permissions array | role, permissions[] | |
| OAuth2 / OpenID Connect | Google-style OIDC token with OAuth2 claims | azp, nonce, email_verified | |
| Long-Lived Token | IoT device token with 5-year expiry — triggers long-exp warning | exp 5 years out | |
| Minimal Token | Smallest valid JWT with only required claims | sub, iat only |
All example tokens are signed with HS256. Enter secret key toolmodoom in the Verify Signature section to test signature verification.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. JWTs are widely used for authentication and authorization in web applications, APIs, and microservices. When you log in to a website, the server often issues a JWT that your browser sends with every subsequent request to prove your identity.
Unlike traditional session-based authentication that requires server-side storage, JWTs are self-contained — all the information needed to verify the token is encoded within the token itself. This makes them ideal for stateless architectures and distributed systems.
JWT Structure (Header, Payload, Signature)
A JWT consists of three parts separated by dots (.):
- Header — Contains the token type (
typ: JWT) and the signing algorithm (alg: HS256, RS256, etc.). - Payload — Contains claims (statements about the user and metadata). Claims include registered claims like
exp(expiration),iss(issuer), andsub(subject), plus any custom data. - Signature — Created by signing the encoded header and payload with a secret key (HS256) or a private key (RS256/ES256). The signature ensures the token hasn't been tampered with.
Each part is Base64URL-encoded, making the token URL-safe and compact enough to be sent in HTTP headers, cookies, or URL parameters.
JWT Algorithm Comparison
JWTs support multiple signing algorithms. Choosing the right one depends on your architecture, security requirements, and key management capabilities.
| Algorithm | Type | Key | Use Case | Security |
|---|---|---|---|---|
| HS256 | HMAC + SHA-256 | Shared secret | Single server, internal APIs | Good — requires secret sharing |
| RS256 | RSA + SHA-256 | Private/Public key pair | Distributed systems, microservices, OAuth2 | Strong — public key can be shared safely |
| ES256 | ECDSA + P-256 | Private/Public key pair | Mobile apps, IoT, performance-sensitive | Strong — smaller keys, faster than RSA |
| PS256 | RSASSA-PSS + SHA-256 | Private/Public key pair | High-security environments | Strongest RSA variant — probabilistic padding |
| HS384/512 | HMAC + SHA-384/512 | Shared secret | When 256-bit hash is insufficient | Good — larger hash output |
| RS384/512 | RSA + SHA-384/512 | Private/Public key pair | Compliance requirements (FIPS, etc.) | Strong — larger hash output |
| none | No signature | None | DO NOT USE in production | None — tokens can be forged |
Recommendation: Use RS256 or ES256 for production systems. Use HS256 only when the signing and verification happen on the same server. Never use none in production.
Common JWT Claims
The JWT specification defines seven registered claims:
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | Who the token is about (usually user ID) |
| aud | Audience | Intended recipient of the token |
| exp | Expiration | Unix timestamp when the token expires |
| nbf | Not Before | Token is not valid before this time |
| iat | Issued At | When the token was created |
| jti | JWT ID | Unique identifier for the token |
💡 Need to generate a unique jti value? Use the UUID Generator — UUID v4 (random) is the recommended choice for JWT IDs, providing collision-free uniqueness without leaking creation time.
Common Public Claims (OAuth2 / OpenID Connect)
In addition to registered claims, these public claims are widely used in OAuth2 and OIDC tokens:
| Claim | Name | Description |
|---|---|---|
| name | Full Name | User's display name |
| User's email address | ||
| email_verified | Email Verified | Whether the email has been verified (boolean) |
| roles | Roles | User roles for RBAC (e.g., "admin", "editor") |
| scope | Scope | OAuth2 granted permissions (e.g., "read write") |
| azp | Authorized Party | Client ID of the application that requested the token |
| nonce | Nonce | Random value for replay attack protection (OpenID Connect) |
JWT vs Session/Cookie
When building authentication, developers often choose between JWT-based and session-based approaches. Each has distinct trade-offs depending on your architecture:
| Aspect | JWT | Session/Cookie |
|---|---|---|
| State | Stateless — token contains all info | Stateful — server stores session data |
| Scalability | Easy horizontal scaling (no shared store) | Requires shared session store (Redis, DB) |
| Size | Token can be large (all claims included) | Cookie is small (session ID only) |
| Revocation | Difficult (requires blacklist or short expiry) | Easy (delete from server) |
| Security risk | Token theft (XSS if stored in localStorage) | CSRF attacks (mitigated by SameSite cookies) |
| Best for | APIs, microservices, mobile apps, SSO | Traditional web apps, server-rendered pages |
Neither approach is universally better. JWTs excel in distributed, stateless architectures where multiple services need to verify identity without a central session store. Sessions are simpler and more secure for traditional server-rendered applications where immediate revocation matters.
Common JWT Errors and How to Fix Them
When working with JWTs, you may encounter these common error messages. Paste your token into the tool above to inspect the Header and Payload for debugging.
TokenExpiredError: jwt expired
Cause: The exp claim timestamp has passed. The token is no longer valid.
Fix: Request a new token from the authentication server. If you control the server, consider extending the token lifetime or implementing a refresh token flow. Use this tool to check the exact expiration time.
JsonWebTokenError: jwt malformed
Cause: The token string is not a valid JWT format. This usually happens when the token is truncated, corrupted, or not Base64URL-encoded properly.
Fix: Ensure you are copying the complete token string without extra whitespace or line breaks. Check that no URL encoding has been applied to the dots (.) separating the three parts.
JsonWebTokenError: invalid signature
Cause: The signature does not match the Header and Payload. This means the token was either tampered with or signed with a different key than expected.
Fix: Verify that your server is using the correct signing key. If you recently rotated keys, ensure the verification side has the updated public key. Use the Verify Signature feature above to test with your key.
Error: JWT must have 3 parts
Cause: The input does not contain exactly three dot-separated segments (header.payload.signature).
Fix: Make sure you are pasting the complete JWT token. A valid JWT always has exactly two dots. If your token starts with Bearer , remove that prefix before pasting.
JWT Security Best Practices
- Always set an expiration time (
exp) — tokens without expiration never become invalid. - Never use
alg: "none"— this disables signature verification, allowing anyone to forge tokens. - Don't store sensitive data in the payload — JWTs are encoded, not encrypted. Anyone can decode the payload.
- Use strong signing algorithms — prefer RS256 or ES256 over HS256 for production systems.
- Keep token lifetimes short — use refresh tokens for long-lived sessions.
- Validate the
issandaudclaims — ensure the token was issued by and intended for your application.
JWT in Different Frameworks
Here are the most popular JWT libraries for each programming language, along with their install commands:
| Language | Library | Install Command |
|---|---|---|
| Node.js | jsonwebtoken | npm install jsonwebtoken |
| Python | PyJWT | pip install pyjwt |
| Java | jjwt (io.jsonwebtoken) | Maven/Gradle dependency |
| Go | golang-jwt/jwt | go get github.com/golang-jwt/jwt/v5 |
| .NET / C# | System.IdentityModel.Tokens.Jwt | dotnet add package Microsoft.IdentityModel.Tokens |
| PHP | firebase/php-jwt | composer require firebase/php-jwt |
| Ruby | ruby-jwt | gem install jwt |
All of these libraries support token creation, signing, verification, and claim validation. For decoding without verification (inspecting token contents), most also provide a decode method that skips signature checking — similar to what this tool does in your browser.
How to Use This Tool
- Paste your JWT token into the input field above, or click Paste Sample to try a demo token.
- The tool instantly decodes the Header and Payload with syntax highlighting.
- Time-based claims (
exp,iat,nbf) are automatically converted to human-readable dates in your selected timezone. - Security warnings appear if potential issues are detected (e.g.,
alg: none, missing expiration, sensitive data in claims). - Click → JSON Formatter to open the decoded payload in our JSON Formatter tool for further inspection.
- Optionally, enter your secret key and click Verify Signature to check if the signature is valid.
Features
Instant Decode
Paste any JWT and instantly see the Header and Payload as formatted, syntax-highlighted JSON. Decoding happens in real time as you type — no button clicks needed.
Expiration Visualization
Time-based claims (exp, iat, nbf) are automatically converted to human-readable dates in your selected timezone, with relative time display and expiration status.
Security Warnings
Automatically detects dangerous patterns: alg:none tokens, missing expiration, excessively long token lifetime, and sensitive data in claims. Warnings are color-coded by severity.
Signature Verification
Verify HS256 token signatures directly in your browser using the Web Crypto API. Enter your secret key and confirm if the signature is valid — no server upload required.
Claim Explanations
Registered claims (iss, sub, aud, exp, nbf, iat, jti) are automatically annotated with descriptions. Custom claims are labeled separately.
100% Private
All processing happens in your browser using JavaScript. No token data is ever sent to any server. Safe to use with production tokens, API keys, and sensitive credentials.
Privacy & Security
Your JWT token is processed entirely in your browser using JavaScript. Nothing is sent to any server. All decoding, claim analysis, security checks, and signature verification happen locally. You can verify this by opening your browser's developer tools and checking the Network tab — no requests are made with your token data. This tool is safe to use with production tokens and sensitive credentials.