~toolsjwt

JWT Debugger & Security Analyzer

Learn how JWTs work, explore common attacks hands-on, decode tokens, or build your own. Everything runs in your browser.

Step 1 of 8

What is a JWT?

A JSON Web Token is a compact, URL-safe way to represent claims between two parties. It's used everywhere — API authentication, SSO, session tokens. A JWT has three parts separated by dots:

header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTc3Mzk2NTIzNX0.signature SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

Algorithm & type

Payload

Claims & data

Signature

Integrity check

Load a sample token:

Encoded Token

Paste a JWT token above or click a sample to get started.

Build a JWT interactively. For HMAC algorithms (HS256/384/512), enter a secret key to generate a real signature. Everything runs in your browser via Web Crypto.

Header

Algorithm

Secret Key

Click to generate a real HMAC signature

Payload Claims

sub (Subject)

name

role

admin

Include exp

Hours

Custom Claims

Live Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6InVzZXIiLCJhZG1pbiI6ZmFsc2UsImlhdCI6MTc3Mzk2MTYzNSwiZXhwIjoxNzczOTY1MjM1fQ.signature-requires-signing

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "user",
  "admin": false,
  "iat": 1773961635,
  "exp": 1773965235
}

Security Check

HS256 — Weak Key Risk

Token Not Expired

Missing Claims