JWT Debugger
Decode, inspect and verify JSON Web Tokens. View claims with OIDC descriptions, verify signatures with HS256/RS256/ES256, and auto-fetch public keys from OIDC issuers.
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1916239022,
"iss": "https://example.com",
"email": "john@example.com"
}How to Use JWT Debugger
- 1Paste your JWT (the long string starting with "eyJ...") into the input field.
- 2The header and payload are decoded instantly with color-coded claim categories.
- 3Hover over any claim key to see its description and standard.
- 4Switch between Structured and JSON views using the tab on each section.
- 5To verify the signature, enter your secret (HS256) or paste a public key (RS256/ES256).
- 6For OIDC tokens, click "Fetch from Issuer" to automatically retrieve and verify with the issuer's public keys.
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token used to securely transmit information between parties. It consists of three Base64-encoded parts: header, payload, and signature, separated by dots.
Is it safe to paste my JWT here?
This tool runs entirely in your browser — your token is never sent to any server. The only network request is the optional JWKS fetch, which contacts the token's own issuer to retrieve public keys.
What do the claim colors mean?
Cyan claims are standard JWT claims (RFC 7519), violet claims are OIDC core claims, amber claims are OIDC profile claims, and gray claims are custom/non-standard.
Which signature algorithms are supported?
HS256 (HMAC-SHA256 with a shared secret), RS256 (RSA-SHA256 with a public key), and ES256 (ECDSA P-256 with a public key). These cover the vast majority of JWTs in production.