Help shape the future of JSON Workbench! We'd love to hear how you use it.

JWT Debugger & Security Tester

Decode, verify, and edit JSON Web Tokens locally. Includes security tools for testing alg:none and RS256→HS256 vulnerabilities.

Token Input
Signing Algorithm

Awaiting JWT Token

Paste encoded JWT token to begin decoding

Header (editable)
Payload (editable)
SIGNATURE VERIFICATION
No Key Provided
JWT · DEBUGGER
Send Feedback
Ln 1, Col 1

JSON Workbench's JWT Debugger provides a secure, client-side environment to decode, verify, and edit JSON Web Tokens. For other data processing needs, explore our JSON Formatter, Base64 Decoder, JSON Compare, File Comparison, and Folder Diff utilities.

How to Use the JWT Debugger

Decode, inspect, and verify JSON Web Tokens in three simple steps — all locally in your browser, with zero server calls.

1. Paste Your Token

Copy a JWT from your application, API client, or browser DevTools and paste it into the Token Input panel on the left.

2. Inspect & Edit

The Header and Payload are instantly decoded into readable JSON. Edit either section and watch the encoded token update in real time.

3. Verify the Signature

Enter your HMAC secret or RSA/EC public key to cryptographically validate the token signature — locally, never sent to a server.

Understanding the JWT Structure

Header

Contains metadata: the signing algorithm (alg) and token type (typ). Base64URL-encoded and placed as the first segment.

Payload

The claims — data about the user or session, such as sub, exp, iat, and iss. Not encrypted — readable by anyone.

Signature

A cryptographic signature over the header and payload using your secret or private key. Changing any part of the token invalidates this signature.

Frequently Asked Questions

Q: Is it safe to paste my JWT here?

A: Yes. All decoding and verification happens entirely inside your browser using the Web Crypto API. Your token is never transmitted to any external server. You can verify this by checking the Network tab in your browser DevTools.

Q: What is the difference between decoding and verifying a JWT?

A: Decoding simply base64-decodes the token to reveal the header and payload — anyone can do this without a key. Verification uses your secret or public key to cryptographically confirm that the token was signed by a trusted party and has not been tampered with.

Q: What does the "alg:none" warning mean?

A: The alg:none vulnerability allows a malicious actor to forge a JWT without a signature. When the tool detects a token using alg:none, it shows a warning. Servers that do not explicitly reject unsigned tokens are exploitable via this attack.

Q: Can I see if my token is expired?

A: Yes. The Claims Inspector panel automatically parses the exp (expiration) claim and shows whether the token is still valid or has expired, displaying a human-readable date and time alongside a status badge.

Why Use JSON Workbench JWT Debugger?

Most online JWT tools send your token to their servers for decoding. JSON Workbench is different — every decode, encode, and verification operation runs entirely in your browser.

100% Local & Private

Your tokens never leave your browser. No logging, no analytics on your token data, no server round-trips. Safe for production credentials.

Bi-Directional Editing

Edit the decoded JSON and see the raw token update instantly, or paste a raw token and watch the JSON panels populate — two-way sync throughout.

Cryptographic Verification

Supports HS256/384/512 HMAC secrets and RS256/RS384/RS512 RSA public keys for full signature validation, powered by the jose library.