Are JWTs secure for sensitive data?

JWT payloads are Base64Url-encoded, not encrypted — anyone can read them. Never store sensitive data in a JWT unless you use JWE (JSON Web Encryption).

What's the difference between HMAC and RSA JWT algorithms?

HMAC algorithms (HS256/384/512) use a shared secret — both the issuer and verifier know the same key. RSA algorithms (RS256/384/512) use a public/private key pair — the issuer signs with the private key, and anyone with the public key can verify. Use HMAC for server-to-server, RSA for distributed systems where the verifier shouldn't be able to create tokens.

What happens when a JWT expires?

The exp claim in the payload specifies the expiration timestamp. After that time, the token should be rejected by the server. This tool shows you the decoded exp so you can check whether a token is still valid. Note that JWT expiration is a claim, not enforced by the token itself — the server must validate it.

JWT Debugger - Encode, Decode & Verify

All processing happens locally in your browser — nothing is sent to any server

Paste

Verify Signature

Secret / Public Key

JWT Debugger is a free online tool for encoding, decoding, and verifying JSON Web Tokens. Supports HS256, RS256, ES256 and more algorithms. All processing runs in your browser — no tokens are sent to any server.

What is JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications. Debug tokens here, then verify payloads with [Base64](/base64) decoding or check key integrity with [Hashing](/hashing).

Common Use Cases

Authenticating API requests — include a JWT in the Authorization header (Bearer token) to verify the caller's identity and permissions.

Decoding and debugging tokens during development — inspect the header and payload claims (iss, sub, exp, iat) without writing code.

Verifying token signatures against a shared secret (HMAC) or public key (RSA/ECDSA) to ensure integrity before trusting the claims.

How to Decode a JWT

1
Paste your JWT
2
Inspect the header and payload
3
Verify the signature (optional)

Frequently Asked Questions

All processing happens locally in your browser — nothing is sent to any server

Paste

Verify Signature

Secret / Public Key

What is JWT?

Common Use Cases

Authenticating API requests — include a JWT in the Authorization header (Bearer token) to verify the caller's identity and permissions.

Decoding and debugging tokens during development — inspect the header and payload claims (iss, sub, exp, iat) without writing code.

Verifying token signatures against a shared secret (HMAC) or public key (RSA/ECDSA) to ensure integrity before trusting the claims.

How to Decode a JWT

1
Paste your JWT
2
Inspect the header and payload
3
Verify the signature (optional)

Verify Signature

What is JWT?

Common Use Cases

How to Decode a JWT

Frequently Asked Questions

Related Tools

Verify Signature

What is JWT?

Common Use Cases

How to Decode a JWT

Frequently Asked Questions

Related Tools