JWT Debugger

Encoded Decoded

Encoded

Signature Verified

Decoded

HEADER: ALGORITHM & TOKEN TYPE
PAYLOAD: DATA
VERIFY SIGNATURE
Signature Verified

Place banner or text content here

Comprehensive Guide to JWT Debugger

Welcome to the W3D Network JWT Debugger. This tool is an essential utility for developers working with modern authentication systems. It allows you to decode, inspect, and verify JSON Web Tokens (JWTs) directly in your browser, ensuring your authentication flows are secure and correct.

1. What is a JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

A JWT consists of three parts separated by dots (.):

  • Header: Contains metadata like the type of token (JWT) and the signing algorithm (e.g., HS256 or RS256).
  • Payload: Contains the "claims" (statements about an entity/user) and additional data (e.g., user ID, roles, expiration time).
  • Signature: Proves the sender's identity and ensures the message hasn't been changed along the way.
2. Why Use This Tool?

JWTs are Base64Url encoded, making them look like random strings to the human eye. This tool decodes them instantly so you can:

  • Debug Login Issues: Check if a token contains the correct roles or permissions (e.g., "role": "admin").
  • Verify Expiration: See exactly when a token expires (exp claim) in human-readable time, preventing "Token Expired" errors in your app.
  • Validate Signatures: Confirm that a token was actually signed by your server by entering your secret or public key. This is crucial for security auditing.
  • No Backend Required: Unlike some debuggers that send your tokens to a remote server, our tool performs all decoding and verification locally in your browser.
3. Data Privacy & Security

Security tokens (like Access Tokens or ID Tokens) often grant access to sensitive user data. You should never paste them into untrusted online tools.

  • Zero Network Transfer: We use client-side libraries to decode and verify tokens. Your JWTs and secrets never leave your device.
  • Safe Debugging: Because no data is stored or logged, you can safely inspect valid tokens without risking a leak.
4. Common JWT Errors

If your token is being rejected by your API, check for these common issues:

a. "Signature Invalid"

This means the token content doesn't match the signature. It usually happens if:
- Only part of the token was copied.
- The wrong secret key is being used to verify.
- The token payload was tampered with after signing.

b. "Token Expired"

Check the exp (Expiration Time) claim. JWTs are invalid after this timestamp. Also check nbf (Not Before), which prevents a token from being used before a certain time.

c. The "none" Algorithm Vulnerability

Some insecure libraries allow tokens with "alg": "none", which have no signature. Attackers can forge these tokens to bypass authentication. Always verify that your backend explicitly rejects the "none" algorithm.

5. Best Practices
  • Keep Secrets Secret: Your HMAC secret key (used for HS256) allows anyone to sign valid tokens. Never expose it in frontend code.
  • Use HTTPS: Always transmit JWTs over secure channels (HTTPS) to prevent interception (Man-in-the-Middle attacks).
  • Short Expiration: Set short expiration times (e.g., 15 minutes) for Access Tokens and use Refresh Tokens to maintain sessions. This limits the damage if a token is stolen.

JavaScript (node-jsonwebtoken)
const jwt = require('jsonwebtoken');
const token = jwt.sign({ foo: 'bar' }, 'shhhhh');
const decoded = jwt.verify(token, 'shhhhh');
console.log(decoded.foo); // bar
Python (PyJWT)
import jwt
encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
decoded = jwt.decode(encoded, "secret", algorithms=["HS256"])