JWT Debugger

Decode, verify, and generate JSON Web Tokens (JWTs).

Loading...

Features

Decode & Inspect

Instantly decode JWTs to view their Header and Payload data in a readable JSON format.

Verify Signatures

Validate the authenticity of a token by providing the secret key to check the signature.

Generate Tokens

Create custom JWTs by defining your own header, payload, and secret.

Expiration Checks

Automatically detects and visualizes token expiration status.

Format Validation

Highlights errors in JSON structure or Token format to help you debug quickly.

About JWT Debugger

The JWT Debugger is a comprehensive tool for developers working with JSON Web Tokens (JWT). Unlike simple decoders, this tool allows you to verify token signatures using your secret keys and even generate new tokens for testing purposes. It runs entirely in your browser, ensuring that your tokens and secrets never leave your device. Whether you are debugging authentication flows, testing API endpoints, or learning about JWT structure, this tool provides everything you need in one secure interface.

How to Use JWT Debugger

  • 1
    Decode a Token

    Paste your JWT string into the 'Encoded Token' box to see its contents instantly.

  • 2
    Verify Signature

    Enter your HMACSHA256 secret in the verification section and click 'Verify' to check if the token is valid.

  • 3
    Check Expiration

    Look at the expiration indicator in the Payload section to see if the token is still active.

  • 4
    Generate a Token

    Switch to the 'Encode' tab, modify the Header and Payload JSON, enter a secret, and click 'Encode' to create a new valid JWT.

Frequently Asked Questions

Yes. All decoding and verification logic runs locally in your browser. Your tokens and secret keys are never transmitted to any server.
We primarily support HS256 for verification and generation testing, as it allows for secret-key based signatures.
This usually happens if the secret key you entered does not match the one used to sign the token, or if the payload has been tampered with.
The header typically consists of the token type (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
Yes, if the payload contains an 'iat' (issued at) claim, the tool will decode it and show the readable date and time.
The tool checks the 'exp' (expiration time) claim and displays a status indicator showing whether the token is currently active or expired.