JWT Debugger & Security Tester
Decode, verify, and edit JSON Web Tokens locally. Includes security tools for testing alg:none and RS256→HS256 vulnerabilities.
Awaiting JWT Token
Paste encoded JWT token to begin decoding
Decode, verify, and edit JSON Web Tokens locally. Includes security tools for testing alg:none and RS256→HS256 vulnerabilities.
Paste encoded JWT token to begin decoding
JSON Workbench's JWT Debugger provides a secure, client-side environment to decode, verify, and edit JSON Web Tokens. For other data processing needs, explore our JSON Formatter, Base64 Decoder, JSON Compare, File Comparison, and Folder Diff utilities.
Decode, inspect, and verify JSON Web Tokens in three simple steps — all locally in your browser, with zero server calls.
Copy a JWT from your application, API client, or browser DevTools and paste it into the Token Input panel on the left.
The Header and Payload are instantly decoded into readable JSON. Edit either section and watch the encoded token update in real time.
Enter your HMAC secret or RSA/EC public key to cryptographically validate the token signature — locally, never sent to a server.
Header
Contains metadata: the signing algorithm (alg) and token type (typ). Base64URL-encoded and placed as the first segment.
Payload
The claims — data about the user or session, such as sub, exp, iat, and iss. Not encrypted — readable by anyone.
Signature
A cryptographic signature over the header and payload using your secret or private key. Changing any part of the token invalidates this signature.
A: Yes. All decoding and verification happens entirely inside your browser using the Web Crypto API. Your token is never transmitted to any external server. You can verify this by checking the Network tab in your browser DevTools.
A: Decoding simply base64-decodes the token to reveal the header and payload — anyone can do this without a key. Verification uses your secret or public key to cryptographically confirm that the token was signed by a trusted party and has not been tampered with.
A: The alg:none vulnerability allows a malicious actor to forge a JWT without a signature. When the tool detects a token using alg:none, it shows a warning. Servers that do not explicitly reject unsigned tokens are exploitable via this attack.
A: Yes. The Claims Inspector panel automatically parses the exp (expiration) claim and shows whether the token is still valid or has expired, displaying a human-readable date and time alongside a status badge.
Most online JWT tools send your token to their servers for decoding. JSON Workbench is different — every decode, encode, and verification operation runs entirely in your browser.
100% Local & Private
Your tokens never leave your browser. No logging, no analytics on your token data, no server round-trips. Safe for production credentials.
Bi-Directional Editing
Edit the decoded JSON and see the raw token update instantly, or paste a raw token and watch the JSON panels populate — two-way sync throughout.
Cryptographic Verification
Supports HS256/384/512 HMAC secrets and RS256/RS384/RS512 RSA public keys for full signature validation, powered by the jose library.