JWT Debugger
Editor
Summary
Warnings
Decoded token
What is a JWT Debugger?
A JWT debugger helps you inspect JSON Web Tokens by decoding the header and payload, checking claims, and validating the signature when a secret or key is available.
It is useful for authentication debugging, API testing, expiration checks, and quickly editing payload data during development.
How to use the JWT Debugger
- Paste a JWT token into the token field.
- Optionally enter the secret or key and choose the algorithm.
- Click Analyze to inspect claims and validation results.
- Edit header or payload JSON and generate a new token if needed.
Tips
- JWT payload data is only encoded, not encrypted.
- Always verify expiration and not-before claims when debugging auth issues.
- Use the same algorithm and secret as your backend when validating signatures.
- Do not paste production secrets unless you fully trust the environment.
Related guides
Learn the workflow behind this tool and what to check next.
How to inspect JWT auth issues
A JWT troubleshooting flow for checking token claims, time values, permissions, and signing assumptions without treating decoding as verification.
How to validate a domain before launch
A launch workflow for confirming DNS records, domain ownership signals, SSL coverage, and security headers on the public endpoint.
JWT debugging checks before trusting token claims
Decoding a JWT makes claims readable, but signature validation, expiration, issuer, audience, and key choice decide whether it is trustworthy.
Validate the signature
Check the algorithm, secret or public key, and expected signing method before accepting header and payload values.
Review time claims
Inspect exp, nbf, and iat with the correct timezone and clock skew so expired or not-yet-valid tokens are not accepted.
Confirm issuer and audience
Compare iss, aud, sub, tenant, and scope values against the application that will consume the token.
Avoid pasting secrets
Use non-production tokens or local test keys when debugging, especially for shared screenshots, logs, or support tickets.
Privacy and usage
Built for quick checks without an account
Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.
No login required
You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.
Local when possible
Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.
Keep secrets out
Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.
Related tools
You may also find these tools useful.