All tools
Development tools

JWT Debugger

Decode any JWT to see its header and payload, verify the signature, detect expiry, and encode new tokens — all in one place.

Decode header + payload Verify signature Encode JWT Detect expiry Algorithm display Timestamp decode
Get started free Sign in

Free · No credit card · 50 credits/day

JWT structure reference

Part Encoding Contains Signed?
Header Base64URL alg (algorithm), typ (token type) Yes
Payload Base64URL sub, iat, exp, plus custom claims Yes
Signature Base64URL HMAC or RSA signature over header + payload N/A

⚠️ The payload is Base64URL encoded, not encrypted — anyone can decode it. Never put secrets in a JWT payload.

Frequently asked questions

What are the three parts of a JWT?

A JWT has three Base64URL-encoded parts separated by dots: 1) Header — the token type and signing algorithm. 2) Payload — the claims: sub (subject), iat (issued at), exp (expiry), plus any custom claims. 3) Signature — the HMAC or RSA signature over the header and payload, proving the token is authentic.

What is the difference between JWT and session cookies?

Session cookies store a random session ID; the server stores session data in a database. JWTs are self-contained — the user data is inside the token. JWTs work well for stateless APIs and microservices. Sessions are easier to invalidate (delete server-side); JWTs cannot be invalidated before expiry without a token revocation list.

What is the alg:none vulnerability?

The JWT spec allows "none" as an algorithm, meaning no signature. A vulnerable server that accepts alg:none tokens will accept a forged token with any payload. Always explicitly whitelist allowed algorithms on the server (e.g. only HS256 and RS256) and reject tokens with alg:none.

How does JWT expiry work?

The "exp" claim is a Unix timestamp. The server checks that the current time is before exp. A typical access token expires in 15 minutes to 1 hour; a refresh token in 7–30 days. Short access token lifetimes limit damage if a token is stolen.

Related dev tools

More tools for authentication and API testing.

JWT Encoder

Create signed JWT tokens with custom payloads and algorithm selection.

JWT Decoder

Quickly decode a JWT token and inspect the header and payload claims.

API Request Tester

Send requests with JWT Bearer auth and inspect the response.

Debug your JWT tokens now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →