JWT Debugger
Decode, verify and debug JSON Web Tokens (JWT) with detailed payload analysis
JWT Token
Paste your JWT token to decode and analyze
Decoded JWT
Decoded header, payload, and signature
No JWT token to decode
Paste a JWT token above to see its decoded content
JWT Structure Explained
A JWT consists of three Base64-URL encoded parts separated by dots (.): Header.Payload.Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
Contains metadata about the token including the signing algorithm
- • Signing algorithm (alg)
- • Token type (typ)
- • Key ID (kid) - optional
Payload
Contains the claims (statements about an entity and additional data)
- • Standard & custom claims
- • Expiration time (exp)
- • User information
Signature
Used to verify the token hasn't been changed and authenticates the sender
- • Token integrity verification
- • Data hasn't been tampered
- • Sender authentication
About JWT
Standard Claims
- •
iss— Issuer - who created the token - •
sub— Subject - who the token is about - •
aud— Audience - who the token is intended for - •
exp— Expiration time - when the token expires - •
iat— Issued at - when the token was created - •
nbf— Not before - when the token becomes valid
Common Use Cases
- • Authentication & authorization
- • Secure information transmission
- • Single sign-on (SSO)
- • API access tokens
- • Identity verification
Security
Security Warning
JWTs contain encoded but not encrypted data. Don't include sensitive information in the payload unless using JWE (JSON Web Encryption).
Best Practices
- • Use strong secret keys (256+ bits)
- • Set appropriate expiration times
- • Validate all claims on the server
- • Use HTTPS for token transmission
- • Implement proper token storage
Pro Tips
- • Check the 'exp' claim to ensure tokens haven't expired
- • Verify the 'aud' claim matches your application
- • Use 'nbf' to implement delayed token activation
- • Never store sensitive data in JWT payload