JWT Debugger

JWT Debugger

Explore Text & Data Tools
Encoded Structure
Signature is present, but not verified
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjI5MjYyMzkwMjJ9.X_b1d8Yj_h0l3f_E5m9N8P6TfA4WfUUSh8XoY
Header
Payload
Signature

Token Active

Expires in 13343 days

18% elapsed

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 2926239022
}
Recognized Claims
subSubject1234567890
nameFull NameJohn Doe
iatIssued At1/18/2018, 3:30:22 AM
expExpiration Time9/23/2062, 3:10:22 PM

Decode and inspect JWT tokens instantly

A JWT Debugger helps you inspect the contents of a JSON Web Token without manually splitting the token, decoding Base64Url segments, or converting timestamp claims by hand.

This tool lets you:

  • decode the JWT header
  • decode the JWT payload
  • inspect the raw signature segment
  • view recognized claims like iss, sub, aud, iat, nbf, and exp
  • toggle human-readable dates
  • check whether a token is active or expired
  • see how far the token is through its lifecycle
  • copy a clean decoded report in one click

If you work with APIs, authentication systems, OAuth flows, identity providers, or app sessions, this kind of visibility makes JWT debugging much faster.

What a JWT is

A JWT, or JSON Web Token, is a compact token format used to transmit claims between systems.

A JWT is usually made of three dot-separated parts:

  • Header
  • Payload
  • Signature

A typical token looks like this:

aaaaa.bbbbb.ccccc

More specifically:

  • the header describes metadata such as the signing algorithm
  • the payload contains claims like the subject, issuer, roles, or expiration time
  • the signature is used to help verify that the token has not been tampered with

JWTs are commonly used in:

  • login and session flows
  • OAuth and OpenID Connect
  • API authentication
  • access tokens and refresh token ecosystems
  • microservices and identity systems

What this JWT Debugger does

This tool is designed for inspection and troubleshooting.

When you paste a token, it:

  • checks that the token has the expected three-part JWT structure
  • decodes the header JSON
  • decodes the payload JSON
  • shows the signature segment separately
  • extracts recognized standard claims for easier reading
  • converts timestamps into readable dates when you enable that option
  • calculates whether the token is expired or still active
  • updates the relative expiration display automatically over time

The result is a much more usable debugging view than looking at the raw token alone.

Important limitation: this tool does not verify the signature

This is one of the most important things to understand.

This JWT Debugger does not verify whether the token signature is valid.

It can show you:

  • the header n- the payload
  • the existence of the signature segment
  • the token structure
  • readable claims and dates

But it does not confirm that:

  • the token was signed with the correct secret
  • the token was signed by the expected issuer
  • the signature matches the header and payload cryptographically

So this tool is excellent for decoding and analysis, but not for proving trust.

That distinction matters when debugging authentication bugs, because a JWT can be structurally correct and still be invalid in the system that issued or consumes it.

How to use the JWT Debugger

1. Paste your JWT into the input box

Paste the full token into the large input area.

A valid JWT should contain:

  • one header segment
  • one payload segment
  • one signature segment
  • dots separating all three parts

If the token format is invalid, the tool shows an error message immediately.

2. Review the encoded structure

Once the token parses successfully, the debugger displays the three raw encoded parts visually:

  • Header
  • Payload
  • Signature

This helps you confirm the token shape quickly and makes it easier to explain what part of the token you are inspecting.

3. Inspect the decoded header and payload

The tool shows the decoded JSON for both:

  • Header
  • Payload

This is useful when you need to inspect:

  • alg
  • typ
  • kid
  • iss
  • sub
  • aud
  • scope
  • roles
  • custom claims from your application

4. Toggle human-readable dates

Enable Human Dates to turn JWT timestamps like iat, nbf, and exp into readable local date-time values.

This is especially useful when debugging authentication issues caused by:

  • expired tokens
  • clock drift
  • tokens issued in the future
  • unexpected not-before windows

5. Check the token lifecycle banner

If the payload contains an exp claim, the tool shows a lifecycle banner that tells you:

  • whether the token is active or expired
  • how much time remains or how long ago it expired
  • how far through its lifespan it is

If the token also includes iat, the progress bar becomes much more informative because the debugger can estimate elapsed lifecycle percentage.

6. Copy the decoded report

Use Copy JSON to export a report containing:

  • decoded header
  • decoded payload
  • raw signature segment

That makes it easy to paste the result into tickets, docs, bug reports, or developer notes.

Understanding the three JWT parts

The header contains metadata about the token.

Typical header fields include:

  • alg for the signing algorithm
  • typ for the token type
  • sometimes kid for a key identifier

The header helps the receiving system understand how to interpret and verify the token.

Payload

The payload contains the claims.

Claims can include:

  • who the token is about
  • who issued it
  • who it is for
  • when it expires
  • what permissions it grants
  • any custom application data included by the issuer

This is usually the most important part during debugging.

Signature

The signature segment is the encoded third part of the token.

This debugger shows it so you can inspect the full structure, but it does not cryptographically verify it.

Recognized claims shown by the tool

The debugger highlights common standard or widely used claims in a dedicated claims table.

Recognized claims include:

  • iss — Issuer
  • sub — Subject
  • aud — Audience
  • exp — Expiration Time
  • nbf — Not Before
  • iat — Issued At
  • jti — JWT ID
  • name — Full Name
  • given_name — Given Name
  • family_name — Family Name
  • email — Email Address
  • scope — Permissions or Scope
  • roles — User Roles

This makes it easier to scan the token without digging through raw JSON manually.

Why human-readable date conversion matters

JWT timestamp claims are usually stored as Unix seconds.

For example:

  • iat = issued at
  • nbf = not before
  • exp = expiration time

Raw Unix timestamps are fine for machines, but they are slower for humans to interpret during debugging.

With Human Dates enabled, the debugger turns those values into readable local timestamps so you can quickly answer questions like:

  • Was this token already expired when I received it?
  • Is the expiration time what I expected?
  • Was it issued too far in the past?
  • Is the nbf claim blocking it yet?

That can save a surprising amount of time in auth debugging.

Understanding token lifecycle status

If the token includes an exp claim, this tool calculates lifecycle information.

Active token

If the current time is still earlier than exp, the token is shown as active.

The debugger also shows how much time is left.

Expired token

If the current time is greater than or equal to exp, the token is shown as expired.

The debugger shows how long ago it expired.

Lifecycle progress

If the token includes both iat and exp, the tool estimates how much of the token lifetime has already elapsed.

This is helpful when debugging short-lived tokens, rotating auth systems, or flows where token age affects behavior.

Common JWT debugging use cases

Check whether a token is expired

One of the most common reasons a token fails is simply that it is too old.

This tool helps you confirm that immediately.

Inspect the aud or iss claim

Authentication issues often happen because a token was minted for the wrong audience or from an unexpected issuer.

The claims table makes those fields easy to spot.

Compare token payloads between environments

If staging and production behave differently, decoding both tokens side by side can reveal differences in:

  • scopes
  • roles
  • expiration windows
  • issuer values
  • custom claims

Debug permission issues

If a user should have access but does not, inspect claims like:

  • scope
  • roles
  • sub
  • app-specific authorization flags

Document authentication bugs clearly

The copyable decoded report makes it easier to share findings with teammates in a readable format.

Common mistakes and misunderstandings

Assuming decoding equals verification

A JWT can decode perfectly and still be invalid for your application.

Decoding tells you what is inside the token. It does not prove trust.

Forgetting time zones and local clocks

Auth bugs can happen because of clock skew, incorrect time assumptions, or short expiration windows.

Readable timestamps help expose that quickly.

Treating the payload as secret

JWT payloads are encoded, not encrypted by default.

That means the claims are usually readable by anyone who has the token unless the system uses an encrypted token format instead.

Ignoring nbf

A token may fail not because it is expired, but because it is not valid yet.

That is why nbf is worth checking alongside exp and iat.

Looking only at the raw token string

Raw tokens are hard to reason about. A structured debugger view makes it much easier to find the real issue.

Why this tool is helpful

You can decode JWTs in code or via browser console snippets, but that adds friction to a task many developers do repeatedly.

This tool is useful when you want to:

  • decode a token quickly
  • inspect claims visually
  • understand expiry timing at a glance
  • share a readable debug report
  • avoid manual Base64Url decoding
  • compare tokens during auth troubleshooting

It turns JWT inspection into a faster and more reliable workflow.

Perfect for

  • front-end developers
  • backend developers
  • API integrators
  • teams working with OAuth or OpenID Connect
  • QA testers debugging auth flows
  • support engineers reviewing token issues
  • anyone who needs a fast JWT decoder and debugger

If you need to inspect a JSON Web Token, check its claims, read its timestamps, and understand whether it is expired, this JWT Debugger gives you a clear view in seconds.

Paste a token, decode the header and payload, review recognized claims, and inspect token lifecycle details instantly.

Frequently Asked Questions

This tool decodes a JSON Web Token and shows its header, payload, raw signature segment, recognized standard claims, and token lifecycle details like expiration and issued-at time. It is designed for inspection and debugging, not signature verification.

No. It shows that a signature segment is present, but it does not verify whether the token was signed with the correct secret or public key. It is a decoder and inspector, not a full JWT verifier.

Yes. You can toggle human-readable dates on or off. When enabled, standard JWT timestamp claims are displayed as readable local dates and times instead of raw Unix seconds.

Yes. If the token includes an exp claim, the tool shows whether the token is active or expired, how much time remains or has passed, and a visual lifecycle progress bar.

The tool shows the token’s three encoded sections: header, payload, and signature. It also decodes the header and payload JSON so you can inspect claims, metadata, and token structure more easily.

Yes. The Copy JSON action exports a compact report containing the decoded header, payload, and signature segment so you can paste it into notes, tickets, docs, or debugging workflows.

Explore Our Tools

Browse All Tools →

Read More From Our Blog

Read More →