JWT Debugger

Decode JWTs, verify HMAC, RSA, and EC signatures (paste secret/PEM or fetch JWKS), inspect claims, and visualize the exp/nbf/iat timeline

JWT Debugger

Verify + decode

Decode tokens, verify signatures (HMAC, RSA, EC) with a secret, PEM, or JWKS, and read the iat / nbf / exp timeline.

Token

Compact serialization (header.payload.signature).

Header

{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "k1"
}

Payload

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "iss": "https://auth.example.com",
  "aud": "api.example.com",
  "scope": "read:user write:user",
  "iat": 1700000000,
  "exp": 3000000000
}

Signature

RVilBxoBemnH9MZSpQ7zRrMGc6ALc0lpzyYEXmL_EFc

Claims

Standard claims get human-readable explanations.

substring1234567890
Subject — the principal the token is about (usually a user ID).
namestringJane Doe
issstringhttps://auth.example.com
Issuer — who created and signed the token (URL or short name).
audstringapi.example.com
Audience — who the token is intended for. The verifier should reject if not in this list.
scopestringread:user write:user
OAuth scopes (space-separated).
iatnumber1700000000
Issued at — UNIX seconds when the token was signed.
expnumber3000000000
Expires at — UNIX seconds. Reject after this instant (with optional clock skew).

Timeline

Status: valid right now

iat

exp

Now: 2026-05-22T12:54:15.000Z

Verify signature

Choose a key source for Token 1.

Not verified

Algorithm: HS256 · HMAC

HS256 — keep the secret long (≥256 bits) and out of source control.

Loading tool...

What is JWT Debugger

Written by Giorgos Kostas. Last reviewed: April 18, 2026

JWT Debugger decodes one or more JSON Web Tokens, verifies the signature against a shared secret, public-key PEM, or remote JWKS, and lays out every standard and custom claim with human-readable explanations.

Multi-token mode lets you paste an `id_token`, `access_token`, and `refresh_token` together — typical of an OAuth/OIDC session — so you can compare audiences, scopes, and expiries side by side.

Why use it

Verify a token end-to-end, not just decode it — the decoder catches `alg: none` attacks, mis-matching `kid`, and expired tokens automatically.
Debug OIDC sessions where multiple tokens carry different `aud`, `azp`, and `scope` claims.
Render the `iat`, `nbf`, `exp` timeline as a visual bar so you can spot clock-skew or premature use without reading Unix timestamps.
Fetch JWKS by URL once and verify many tokens — handy when working with Auth0, Cognito, Okta, or Firebase.
Explain to a teammate what every claim means without sending them to the spec.

Features

Decode header + payload (multi-token mode)
Verify HMAC, RSA, EC signatures (jose-powered)
JWKS by URL via server proxy (CORS-free)
Algorithm + alg:none safety checks
iat/nbf/exp timeline with relative time
Per-claim explainer for iss, aud, sub, azp, scope

How to use JWT Debugger

Paste token(s). Drop one or more JWTs — paste id_token + access_token side-by-side for OIDC sessions.
Provide a key (optional). Paste a secret for HMAC, a PEM public key for RSA/EC, or a JWKS URL.
Inspect claims. Standard claims get human-readable explanations; custom claims are listed verbatim.
Read the timeline. Visual bar shows where the current time sits relative to iat/nbf/exp.

Example (before/after)

Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzYwMDAwMDAwfQ.signaturePlaceholder

Decoded

Header  { alg: HS256, typ: JWT }
Payload { sub: 1234567890, name: Jane Doe, iat: 1760000000 }
Verify  ✗ signature does not match (or no secret provided)

Common errors

alg: none token accepted

Older libraries treat `alg: none` as valid if you forget to enforce an allow list.

Fix: The debugger flags `alg: none` as a danger and refuses to mark such tokens as verified — even when you provide a secret.

Signature verification fails after copy/paste

An accidental whitespace character in the token breaks the signed payload.

Fix: The debugger trims whitespace and warns when the token contains characters outside Base64URL.

JWKS fetch returns CORS error

The JWKS endpoint may not allow cross-origin requests from the browser.

Fix: The debugger fetches via a server-side proxy so JWKS retrieval works regardless of CORS.

FAQ

Which signature algorithms are supported?

All algorithms in the `jose` library: HMAC (HS256/384/512), RSA (RS256/384/512, PS256/384/512), and EC (ES256/384/512, ES256K). Symmetric algorithms accept a UTF-8 secret; asymmetric algorithms accept a PEM-formatted public key or a JWKS URL.

How does JWKS verification work?

Paste the JWKS URL once; the debugger fetches the keys via our server proxy (so CORS isn't an issue), then matches the token's `kid` against the JWKS entries. Multiple tokens that share an issuer reuse the same JWKS without refetching.

Are tokens or secrets sent to a server?

Decoding and signature verification run client-side using the WebCrypto API (via `jose`). Only JWKS URLs are fetched through the server proxy, and only the URL is logged for rate limiting — never the token or secret.

What does the timeline show?

A horizontal bar with three markers: `iat` (issued at), `nbf` (not before), and `exp` (expires). The current time is overlaid so you can see at a glance whether a token is too new, valid, or expired — and by how much.

Can I use this for refresh-token rotation testing?

Multi-token mode shows three tokens together. To simulate rotation, paste the new token after each refresh; the debugger highlights changed claims so you can confirm the issuer rotates `iat` and `exp` correctly without leaking other claims.

Why was this previously called 'JWT Decoder'?

This page replaces the older JWT Decoder slug — same URL, expanded scope. Decoding is still the default; verification, JWKS, and the timeline are additive features.

Related tools

Pair the debugger with other security and web-platform tools. You can also browse the full Security & Web Hardening category for more options.

CSP Policy Builder

Build a Content Security Policy header from per-directive cards with chip-style sources, presets, and a live header + meta-tag preview

CORS Tester

Send a real OPTIONS preflight and the actual request from a server proxy and inspect the per-rule CORS verdict for any origin

SSL Chain Inspector

Probe a host:port and render the full TLS certificate chain with subject, issuer, SAN, key, signature, fingerprints, and days-until-expiry

HTTP Header Inspector

Paste response headers to audit HSTS, CSP, CORS, X-Powered-By disclosure, and Set-Cookie flags

URL Parser

Parse a URL into scheme, host, port, path, query parameters, fragment, and origin — fully client-side

Base64 Encoder/Decoder

Encode or decode Base64 strings

Hash Generator

Generate MD5, SHA1, SHA256, SHA512 hashes

CORS Origin Checker

Passive Access-Control-Allow-Origin matcher — paste a header value plus a list of origins to confirm wildcard, scheme, and subdomain rules

Encoding

JWT Debugger

JWT Debugger

What is JWT Debugger

Why use it

Features

How to use JWT Debugger

Example (before/after)

Token

Decoded

Common errors

alg: none token accepted

Signature verification fails after copy/paste

JWKS fetch returns CORS error

FAQ

Which signature algorithms are supported?

How does JWKS verification work?

Are tokens or secrets sent to a server?

What does the timeline show?

Can I use this for refresh-token rotation testing?

Why was this previously called 'JWT Decoder'?

Related tools

CSP Policy Builder

CORS Tester

SSL Chain Inspector

HTTP Header Inspector

URL Parser

Base64 Encoder/Decoder

Hash Generator

CORS Origin Checker

Related articles

Base64 encoding pitfalls developers run into

JWT debugging checklist for auth failures

Why trivial developer tasks take longer than expected

JWT Debugger