Search tools...
CMDK
← Tools
Security

JWT Debugger

Decode and inspect JSON Web Tokens instantly. Header, payload, and signature shown separately. Nothing leaves your browser.

JWT Token
Header
Token header will appear here
Payload
Payload claims will appear here
Signature
Signature will appear here

JWT Structure

A JWT has three Base64url-encoded parts separated by dots: header.payload.signature. Defined in RFC 7519. See also: jwt.io introduction.

The header names the algorithm. The payload carries claims. The signature lets the server verify both haven't been tampered with. Read more: JWT Token Debugging and Security Analysis.

Common Claims

  • iss — issuer
  • sub — subject (user ID)
  • aud — audience
  • exp — expiry (Unix timestamp)
  • iat — issued at
  • jti — unique token ID

Security Tips

  • The payload is encoded, not encrypted — never put secrets in it
  • Always transmit JWTs over HTTPS
  • Keep expiry (exp) short-lived
  • Use RS256 or ES256 for production (asymmetric keys)
  • Store in httpOnly cookies, not localStorage

Frequently Asked Questions

Can this tool verify a JWT signature?

No — signature verification requires the secret or public key, which you should never paste into a web tool. This tool only decodes the header and payload.

Is my token sent to a server?

No. All decoding happens in your browser using the Web Crypto API and atob(). Your token never leaves your device.

What is Base64url encoding?

It is Base64 with + replaced by -, / replaced by _, and padding removed — making it safe for use in URLs and HTTP headers. You can encode/decode Base64 directly with the Base64 tool.

Why does exp show a human-readable date?

This tool automatically converts exp, iat, and nbf claims from Unix timestamps to UTC strings so you can read them instantly.