Tiny Tools Logo
💻

JWT Debugger

Inspect and debug JWT tokens.

JWT Token Input

Paste your JWT token to decode and analyze

Paste your JWT token above to decode the header, payload, and signature

Header

Header will appear here...

Payload

Payload will appear here...

Signature

Signature will appear here...

Common JWT Claims

issIssuer (who created the token)
subSubject (who the token represents)
audAudience (who the token is intended for)
expExpiration time (Unix timestamp)
nbfNot Before time (token is invalid before this)
iatIssued At time (when token was created)
jtiJWT ID (unique identifier for the token)

JWT Debugger FAQ

1. What is a JWT token and how does it work?

A JWT (JSON Web Token) is a compact, URL-safe token used for securely transmitting information between parties as a JSON object. It consists of three parts: Header, Payload, and Signature, separated by dots (e.g., xxxxx.yyyyy.zzzzz).

  • Client logs in and sends credentials.
  • Server validates credentials and generates a JWT.
  • Client stores the JWT (e.g., in localStorage or cookies) and sends it with each request.
  • Server verifies the JWT's signature and grants access if valid.

2. Is JWT secure for authentication?

Yes, JWT is secure if implemented correctly:

  • Use HTTPS to prevent interception.
  • Sign tokens with a strong algorithm (e.g., HS256, RS256).
  • Set short expiration times for tokens.
  • Store tokens securely (avoid localStorage if vulnerable to XSS).

3. How to decode a JWT token?

A JWT can be decoded (not decrypted) since it's Base64Url-encoded.

const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
const payload = JSON.parse(atob(token.split('.')[1]));
console.log(payload); // { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }

Note: Decoding does not verify the signature.

4. What is the structure of a JWT token?

A JWT has 3 parts:

  • Header – Algorithm & token type (e.g., {"alg": "HS256", "typ": "JWT"}).
  • Payload – Claims (e.g., {"sub": "123", "name": "Alice", "exp": 1735689600}).
  • Signature – Ensures integrity (e.g., HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)).

5. What is the difference between JWT and OAuth?

  • JWT is a token format (compact, self-contained).
  • OAuth 2.0 is an authorization framework (defines how tokens are issued & used).
  • JWT can be used within OAuth (e.g., as an access token).

6. How to validate a JWT token in backend?

  • Check token structure (header.payload.signature).
  • Verify signature (e.g., using jsonwebtoken in Node.js).
  • Validate claims (exp, iss, aud).
Example (Node.js):
const jwt = require('jsonwebtoken');
try {
  const decoded = jwt.verify(token, 'secret-key');
  console.log(decoded); // Valid payload
} catch (err) {
  console.error("Invalid token!");
}

7. What does "HS256" mean in a JWT token?

  • HS256 = HMAC + SHA-256 (symmetric signing).
  • A secret key is used for both signing & verification.
  • Alternative: RS256 (asymmetric, uses private/public keys).

8. Is it safe to store JWT in localStorage or cookies?

  • localStorage: Vulnerable to XSS (JavaScript can steal it).
  • Cookies: Secure + HttpOnly cookies prevent XSS but need CSRF protection.
  • Best practice: Use HttpOnly cookies for better security.

9. How to refresh JWT tokens securely?

  1. Issue a short-lived access token (e.g., 15 min).
  2. Issue a long-lived refresh token (stored securely in HTTP-only cookie).
  3. When access token expires, client sends refresh token to get a new one.

10. Can JWT be used for session management?

Yes, but:

  • Pros: Stateless, scalable.
  • Cons: Hard to revoke (use short expiry + refresh tokens).

11. What are the best practices for using JWT?

  • ✔ Use HTTPS.
  • ✔ Set short expiry (e.g., 15-30 mins).
  • ✔ Use strong algorithms (avoid none).
  • ✔ Store tokens securely (HttpOnly cookies).
  • ✔ Validate all claims (iss, aud, exp).

12. How long should a JWT token be valid?

  • Access token: 15-30 mins (short-lived).
  • Refresh token: 7-30 days (long-lived, stored securely).

13. What is the difference between access token and refresh token in JWT?

Access TokenRefresh Token
Short-lived (e.g., 15 min)Long-lived (e.g., 7 days)
Used for API accessUsed to get new access tokens
Stored in memory/cookieStored securely (HTTP-only cookie)

14. How to sign and verify JWT in Node.js / Python / PHP / Java?

Node.js:
// Sign
const token = jwt.sign({ id: 1 }, 'secret', { expiresIn: '1h' });

// Verify
jwt.verify(token, 'secret');
Python (PyJWT):
import jwt
token = jwt.encode({"user_id": 1}, "secret", algorithm="HS256")
decoded = jwt.decode(token, "secret", algorithms=["HS256"])

15. Why is my JWT token not working or showing "Invalid Signature"?

Possible reasons:

  • ❌ Wrong secret/key used.
  • ❌ Token expired (exp claim).
  • ❌ Algorithm mismatch (e.g., server expects RS256 but token uses HS256).

16. What is the difference between JWS, JWT, and JWE?

  • JWT = JSON Web Token (data format).
  • JWS = Signed JWT (has signature).
  • JWE = Encrypted JWT (payload encrypted).

17. How can I blacklist or revoke a JWT token?

  • Short expiry + refresh tokens.
  • Token blacklist (store invalidated tokens in DB/Redis).
  • Opaque tokens (store session state on server).

18. What are the common vulnerabilities in JWT implementation?

  • Algorithm "none" attack (disable none alg).
  • Weak secret keys (use strong keys).
  • XSS token theft (use HttpOnly cookies).
  • No expiration (always set exp).

19. Can JWT tokens be reused across domains?

Yes, but not recommended for security:

  • CORS must be configured properly.
  • SameSite cookies prevent CSRF.

20. What happens if someone steals my JWT token?

Attacker can impersonate you until token expires.

  • Use short-lived tokens.
  • Implement token blacklisting.
  • Use HTTPS + Secure cookies.

Mitigations: