JWT Debugger

Decode, encode & verify JSON Web Tokens — all in your browser

Encoded Token

Valid JWT155 bytes

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature

Algorithm: HS256

Type: JWT

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Signature Verification

What is this secret?For HS256/384/512, the verifier uses the same symmetric key the issuer used to sign the JWT. You don't “download” it from jwt.io — it comes from your server or identity provider: env vars like JWT_SECRET, dashboard signing secrets (Auth0, Supabase, Clerk, Firebase, etc.), or your framework's auth config.

The preset your-256-bit-secret is only a familiar placeholder so the bundled example JWT on the Decoder tab verifies. Replace it with your real secret for your own tokens. For new keys, prefer at least 32 random bytes of entropy; “256-bit” refers to the HMAC algorithm strength, not the exact character count of the string.

Base64URL encoded

Generate secret fills a 32-byte random key and checks Base64URL so the key bytes match standard signing libraries. Uncheck only if your secret is a plain string (UTF-8).

Token Info

Size

155 bytes

Claims

Algorithm

HS256

Type

JWT

Header Claims

Claim	Value
alg	"HS256"
typ	"JWT"

Payload Claims

Claim	Value	Description
sub	"1234567890"	Subject — identifies the principal that is the subject
name	"John Doe"	Custom claim
iat	1516239022 (2018-01-18T01:30:22.000Z)	Issued At — time at which the JWT was issued