JWT Debugger

All tools

Editor

Summary

Algorithm
Verification
Signature
exp
nbf
iat

Warnings

Decoded token

What is a JWT Debugger?

A JWT debugger helps you inspect JSON Web Tokens by decoding the header and payload, checking claims, and validating the signature when a secret or key is available.

It is useful for authentication debugging, API testing, expiration checks, and quickly editing payload data during development.

How to use the JWT Debugger

  1. Paste a JWT token into the token field.
  2. Optionally enter the secret or key and choose the algorithm.
  3. Click Analyze to inspect claims and validation results.
  4. Edit header or payload JSON and generate a new token if needed.

Tips

  • JWT payload data is only encoded, not encrypted.
  • Always verify expiration and not-before claims when debugging auth issues.
  • Use the same algorithm and secret as your backend when validating signatures.
  • Do not paste production secrets unless you fully trust the environment.

Related guides

Learn the workflow behind this tool and what to check next.

JWT debugging checks before trusting token claims

Decoding a JWT makes claims readable, but signature validation, expiration, issuer, audience, and key choice decide whether it is trustworthy.

Validate the signature

Check the algorithm, secret or public key, and expected signing method before accepting header and payload values.

Review time claims

Inspect exp, nbf, and iat with the correct timezone and clock skew so expired or not-yet-valid tokens are not accepted.

Confirm issuer and audience

Compare iss, aud, sub, tenant, and scope values against the application that will consume the token.

Avoid pasting secrets

Use non-production tokens or local test keys when debugging, especially for shared screenshots, logs, or support tickets.

Privacy and usage

Built for quick checks without an account

Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.

No login required

You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.

Local when possible

Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.

Keep secrets out

Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.

Related tools

You may also find these tools useful.

JWT Debugger FAQ

Can this tool validate JWT signatures?
Yes, when you provide the required secret or key and the token uses a supported algorithm.
Can I edit and regenerate a JWT?
Yes. You can modify the header and payload JSON, then generate a new token.
Does it show expiration details?
Yes. The debugger can show whether a token is expired and help inspect time-related claims.
Is my token sent to a server?
That depends on your implementation. If your setup validates on the backend, do not use production secrets unless you trust the environment.