CodeCoffeeTools

JWT Debugger

Decode and inspect JSON Web Tokens (JWTs) locally.

Encoded TokenPaste your JWT here

Header

// Header

Algorithm & Token Type

Payload

// Payload

Data (Claims)

Signature

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), your-256-bit-secret )

Understanding JWT Structure

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three parts separated by dots (.):

  • Header: Contains metadata about the type of token and the cryptographic algorithm used (e.g., HMAC SHA256 or RSA).
  • Payload: Contains the claims (data). This can include the user's ID, role, and token expiration time.
  • Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

Security Best Practices

When using JWTs, always ensure you:

  • Don't store sensitive data: The payload is easily decodable by anyone who has the token (as this tool demonstrates). Never put passwords or secret keys in the payload.
  • Use HTTPS: Always transmit tokens over secure channels to prevent interception.
  • Set short expiration times: To limit the window of opportunity for an attacker if a token is stolen.
Find this tool helpful?
963q...z2hv