JWT Debugger

Decode, encode, and verify JSON Web Tokens. Everything runs in your browser, nothing is sent to a server.

Encoded Token

Header

{
  ...
}

Payload

{
  ...
}

Claims

Claim	Value	Description
No claims to display

Signature Verification

About JWTs

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature.

The header specifies the signing algorithm (e.g. HS256, RS256) and token type.

The payload contains claims - statements about the user and metadata. Standard claims include iss (issuer), sub (subject), exp (expiration), and iat (issued at).

The signature is created by signing the header and payload with a secret or private key, allowing recipients to verify authenticity.

JWTs are not encrypted by default. Anyone can decode the payload. Never store sensitive data in a JWT unless using JWE (JSON Web Encryption).

References

RFC 7519 - JSON Web Token (JWT)
RFC 7515 - JSON Web Signature (JWS)
RFC 7518 - JSON Web Algorithms (JWA)
jwt.io - Introduction to JWTs
Auth0 - JSON Web Tokens