JWT Decoder & Validator - Inspect JSON Web Tokens.
JWT Decoder & Validator - Inspect JSON Web Tokens
Decode, inspect, and verify JWT tokens instantly with syntax highlighting
What are JSON Web Tokens (JWT)?
JWT is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. Each JWT contains three parts: Header, Payload, and Signature, separated by dots (.).
JWT Structure
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header.Payload.Signature
Why Debug JWT Tokens?
| Reason | Use Case |
|---|---|
| 🔐 Authentication Issues | Debug login failures and permission errors |
| ⏰ Token Expiration | Check exp claim to see if token is still valid |
| 👤 User Information | Inspect user roles, permissions, and metadata |
| 🛠️ API Development | Verify token structure during development |
| 🔍 Security Analysis | Examine token claims for security vulnerabilities |
Token Components
Header
Contains metadata about the token:
{
"alg": "HS256", // Signing algorithm
"typ": "JWT" // Token type
}
Payload (Claims)
Contains the actual data:
{
"sub": "1234567890", // Subject (user ID)
"name": "John Doe", // Custom claim
"iat": 1516239022, // Issued at
"exp": 1516242622 // Expires at
}
Signature
Verifies the token hasn't been tampered with
Standard Claims
| Claim | Description | Example |
|---|---|---|
iss |
Issuer | "auth.example.com" |
sub |
Subject (User ID) | "user123" |
aud |
Audience | "api.example.com" |
exp |
Expiration Time | 1516242622 |
iat |
Issued At | 1516239022 |
nbf |
Not Before | 1516239022 |
jti |
JWT ID | "abc123" |
Features
✅ Instant Decoding — Paste JWT and see decoded parts immediately
✅ Syntax Highlighting — JSON formatting with color coding
✅ Timestamp Conversion — Convert Unix timestamps to readable dates
✅ Expiration Warning — Alert when tokens are expired
✅ Multiple Algorithms — Support for HS256, RS256, ES256, and more
✅ Error Detection — Identify malformed or invalid tokens
Common JWT Problems
🚨 Token Expired
exp: 1516242622 (Jan 18, 2018 1:30:22 AM UTC)
Status: EXPIRED ❌
⚠️ Missing Claims
- No
expclaim (token never expires) - Missing
issoraudfor validation - Empty or null claims
🔧 Algorithm Issues
- Algorithm mismatch (header says HS256, server expects RS256)
- Unsigned tokens (
"alg": "none")
Security Best Practices
🔒 Never store sensitive data in JWT payload — it's just Base64 encoded, not encrypted
⏰ Always set expiration times — use short-lived tokens (15-30 minutes)
🔐 Use strong signing secrets — minimum 256-bit keys for HS256
🛡️ Validate all claims — check iss, aud, exp, and custom claims
🚀 Use HTTPS only — never transmit JWTs over unencrypted connections
Ready to inspect your JWT tokens?