Advertisement

JWT Debugger – Decode, Inspect & Verify JSON Web Tokens

Decode JWT tokens instantly. Inspect headers, payload claims, and signatures. Verify HMAC signatures in-browser with live expiry countdown — no data ever leaves your device.

JWT Debugger

Decode · Inspect · Verify

No token decoded yet

Paste a JWT in the input on the left to instantly decode, inspect, and validate it.

Or try a sample

Decode header & payload
Live expiry countdown
HMAC signature verify
Security warnings
Claim documentation
Visual token breakdown

What is JWT Debugger?

A full-featured JWT debugger built for developers. Paste any JWT to instantly decode its header and payload, inspect all standard and custom claims with documentation, verify HMAC-SHA signatures (HS256/384/512) using the WebCrypto API, and track token expiry with a live countdown timer. Supports RS256, ES256, PS256, EdDSA, and more with clear guidance on server-side verification. Security warnings surface weak algorithms, missing expiry claims, and tampered signatures automatically.

jwtdebuggerdecoderverifiersecurityauthenticationoauthoidctokens

JWT Debugger Features

In-Browser Signature Verification

Verify HS256, HS384, and HS512 signatures using the WebCrypto API — your secret never leaves the browser. Instantly tells you if the token has been tampered with.

Live Expiry Countdown

Real-time countdown shows exactly how long until a token expires — down to the second. Immediately flags expired, not-yet-valid, and no-expiry tokens.

Full Claims Documentation

Every standard JWT claim (iss, sub, aud, exp, iat, nbf, jti, scope, azp, and 15+ more) is annotated with its full name, purpose, and human-readable timestamp conversion.

Security Warnings

Automatically flags insecure algorithms (none, weak HMAC), missing expiry claims, expired tokens, and not-yet-valid tokens so security issues are never missed.

Algorithm Strength Analysis

Rates your signing algorithm (strong / medium / weak) and explains the tradeoffs between HS256, RS256, ES256, PS256, EdDSA, and others.

Visual Token Breakdown

Color-coded header, payload, and signature parts with interactive section switching. Click any part of the raw token to jump directly to that section.

Advertisement

JWT Debugger FAQ

Yes — all decoding and signature verification runs entirely in your browser using the WebCrypto API. Tokens and secrets are never sent to any server. That said, avoid pasting tokens in shared or public environments where someone could see your screen.

Asymmetric algorithms (RS256, RS512, ES256, ES384, PS256, EdDSA) require a private/public key pair and are best verified server-side using libraries like jsonwebtoken (Node.js), PyJWT (Python), golang-jwt (Go), or auth0/java-jwt (Java). The debugger decodes and inspects these tokens fully — only signature verification requires a server-side step.

If your token has an exp claim, the debugger shows a real-time countdown (updating every second) showing exactly how long until it expires, plus a lifetime progress bar from iat to exp.

Warnings appear when: the algorithm is 'none' (no signature), a weak or symmetric algorithm is used in a context where asymmetric is preferred, the exp claim is missing, or the token is already expired or not yet valid (nbf).

The decoder supports all standard JWT algorithms: HS256, HS384, HS512 (HMAC — browser-verifiable), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), PS256, PS384, PS512 (RSA-PSS), EdDSA, and none. Each is rated for security strength.