Skip to main content
DevBench
Back to Home

JWT Debugger

Decode, encode & verify JSON Web Tokens — all in your browser

Valid JWT155 bytes
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
Signature
Algorithm: HS256
Type: JWT
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Signature Verification

What is this secret?For HS256/384/512, the verifier uses the same symmetric key the issuer used to sign the JWT. You don't “download” it from jwt.io — it comes from your server or identity provider: env vars like JWT_SECRET, dashboard signing secrets (Auth0, Supabase, Clerk, Firebase, etc.), or your framework's auth config.

The preset your-256-bit-secret is only a familiar placeholder so the bundled example JWT on the Decoder tab verifies. Replace it with your real secret for your own tokens. For new keys, prefer at least 32 random bytes of entropy; “256-bit” refers to the HMAC algorithm strength, not the exact character count of the string.

Generate secret fills a 32-byte random key and checks Base64URL so the key bytes match standard signing libraries. Uncheck only if your secret is a plain string (UTF-8).

Token Info

Size

155 bytes

Claims

3

Algorithm

HS256

Type

JWT

Header Claims

ClaimValue
alg"HS256"
typ"JWT"

Payload Claims

ClaimValueDescription
sub"1234567890"Subject — identifies the principal that is the subject
name"John Doe"Custom claim
iat1516239022 (2018-01-18T01:30:22.000Z)Issued At — time at which the JWT was issued

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64url-encoded sections separated by dots: header, payload, and signature. JWTs are most commonly used as bearer tokens in HTTP Authorization headers to authenticate API requests without server-side session storage.

JWT structure: header, payload, signature

Supported signing algorithms

Security warning: JWTs are not encrypted by default

The header and payload of a standard JWT are only Base64url-encoded — anyone who obtains the token can read its contents. Never put sensitive data (passwords, PII, secrets) in a JWT payload unless you are using JWE (JSON Web Encryption). Signing proves integrity and authenticity; it does not provide confidentiality.

Also useful: Base64 Decode, Hash Generator, AES Encryptor.