JWT & JWE Debugger – Decode, Verify, Validate Claims

Paste a token to instantly decode header and payload, verify signatures against secrets, PEM/JWK, or JWKS URL, validate claims, and re‑encode tokens for testing. Supports HS256, RS256, ES256, PS256, and EdDSA.

Introduction

The JWT & JWE Debugger helps developers and security engineers safely inspect and validate tokens. Paste a JWT to see the header, payload, and signature, verify it using a secret, public/private key, or a JWKS URL, and validate time-based claims like exp, nbf, and iat.

Key Capabilities

  • Decode header and payload with Base64URL
  • Verify signature against symmetric or asymmetric keys (HS256, RS256, ES256, PS256, EdDSA)
  • Validate exp, nbf, iat, aud, and iss
  • Highlight insecure algorithms (e.g., none)
  • Edit fields and re‑encode tokens (including unsigned test tokens)
  • Detect nested tokens inside claims
  • JWKS URL integration for key discovery

How to Use

  1. Paste your JWT or JWE token into the input.
  2. Optionally specify expected aud and iss to validate claims.
  3. Select algorithm and choose key source: secret, PEM (SPKI/PKCS#8), JWK JSON, or JWKS URL.
  4. Click Verify to validate the signature.
  5. Switch to Edit & Re‑encode to modify fields and generate a new token for testing.

Security note: Never accept or deploy tokens using the none algorithm in production. Use strong keys and rotate regularly.

FAQs

Is my token sent to a server?
No. Decoding and verification are performed in your browser.

Can I debug JWE?
JWE headers are shown. Decryption requires the correct key/algorithm and may vary by provider support.

What algorithms are supported?
HS256, RS256, ES256, PS256, and EdDSA for verification; editing supports generating unsigned tokens or signing when a key is provided.

Related Tools

Online Password Strength Checker & Generator Tool

PasswordChecker

Test the strength of your passwords with our advanced checker and create new, highly secure passwords with our generator. Stay safe online.

Try Now