Instantly decode and inspect JSON Web Tokens (JWT) with our free online debugger. This tool allows developers to view the header, payload, and signature of any JWT to simplify authentication debugging and claim verification.
Search for a command to run...
Did You Know?
JWT parts are separated by dots and use Base64Url encoding, which replaces + with - and / with _ to stay URL-friendly.
Best Practice
Never store sensitive data like passwords or PII in a JWT payload, as they are not encrypted by default.
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. They are defined in RFC 7519 and are the industry standard for modern web authentication. Because the data is Base64Url encoded, it is easily readable by anyone who possesses the token. This tool provides a simple interface to decode that data so you can understand the information being passed between your client and server.
Tip
Always check the 'alg' header to ensure your application isn't vulnerable to 'none' algorithm attacks.
Incorporate JWT inspection during the development of OAuth2 or OpenID Connect flows to ensure your tokens contain the expected metadata. When debugging 401 Unauthorized errors, your first step should be decoding the token to check if it has expired or if the issuer (iss) and audience (aud) claims match your server configuration. This helps isolate whether the issue lies in the token generation or the validation logic.
Q: Is it safe to paste my JWT here? A: Yes, the decoding process is performed entirely on the client side; your token is never transmitted to our servers.
Q: Do I need a secret key to decode a JWT? A: No, you only need a key to verify the signature or to encode a token. The data itself is only Base64Url encoded and can be read by anyone.
Q: Why is my JWT not decoding correctly? A: Ensure the token follows the 'Header.Payload.Signature' format and that no extra spaces or characters were included during the copy-paste process.
Q: Can I edit the JWT and re-encode it? A: While you can see the data, any manual changes to the payload will invalidate the signature unless you have the original secret key to sign it again.
Tip
The 'exp' claim is a Unix timestamp; use it to determine exactly when a user's session will expire.