JWT Debugger
Decode and generate JWT tokens
No data
Enter the secret used to sign the JWT below:
Verification happens entirely in your browser. No tokens are sent to external servers.
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties. It is digitally signed, making it verifiable and trustworthy. JWTs can be signed using HMAC algorithms or RSA/ECDSA public/private key pairs.
xxxxx.yyyyy.zzzzz
issIssuer - The entity that issued the token
subSubject - The subject of the token (usually user ID)
audAudience - The recipients the token is intended for
expExpiration Time - Unix timestamp when token expires
nbfNot Before - Token is invalid before this time
iatIssued At - Unix timestamp when token was issued
jtiJWT ID - Unique identifier for the token
- Authentication
Issue JWT after user login to verify identity in subsequent requests
- Information Exchange
Verify sender identity and detect content tampering through signatures
- Single Sign-On (SSO)
Maintain authentication across multiple services with a single token
- API Authorization
Secure API call authentication between microservices
- JWT is encoded, not encrypted. Never include sensitive information (passwords, credit cards, etc.) in the payload.
- Use a strong secret key of at least 256 bits.
- Set appropriate token expiration (exp) and consider using refresh token patterns.
- Store tokens in httpOnly cookies instead of localStorage to prevent XSS attacks.
- Always use HTTPS in production to prevent token exposure over the network.
HS256
HMAC + SHA-256. The most commonly used symmetric key algorithm
HS384
HMAC + SHA-384. Enhanced security with longer hash than HS256
HS512
HMAC + SHA-512. Symmetric key algorithm with the longest hash
This tool only supports HMAC-based symmetric algorithms (HS*). RSA/ECDSA asymmetric algorithms require separate public/private key pairs.