📖 Description
1. Why Do You Need a JWT Debugging Tool?
When developing OAuth2, Single Sign-On (SSO), or RESTful APIs, JWT serves as the link between client and server:
- Parse Payload Content: Quickly view user ID (
sub), permissions (scopes), and custom claims carried within the Token, confirming backend logic is correct without writing code.
- Verify Validity: Check the
exp (expiration time) and iat (issued at) fields to determine why a token is invalid or not yet active.
- Confirm Signature Security: Verify that the Token was indeed issued by your server. By entering the private/public key, confirm the data hasn't been tampered with during transmission.
- Troubleshoot Base64 Errors: Automatically handle URL-safe Base64 encoding, fixing Token format errors caused by manual operations.
2. Core Feature Analysis
This site's tool provides a comprehensive breakdown of JWT's three components (Header, Payload, Signature):
A. Structured Decoding (Visual Decoding)
- Header: Parses algorithm type (e.g.,
HS256, RS256) and token type (JWT).
- Payload: Displays JSON claims in a highlighted format, supporting nested object display.
- Signature: Extracts the signature digest for comparison and verification.
B. Real-time Signature Verification
- HS256 (HMAC + SHA256): Enter your
Secret, and the tool will calculate the signature in real-time, providing feedback like "Signature Verified" or "Invalid Signature".
- RS256 (RSA + SHA256): Supports pasting a Public Key for verifying asymmetrically encrypted tokens.
C. Auto-correction & Time Conversion
- Timestamp Visualization: Automatically converts Unix timestamps like
exp into human-readable Beijing Time.
- Expiration Warning: If the Token has expired, the system highlights it prominently in red.
D. Privacy Protection (Local Computation)
- Zero Leakage Risk: All decoding and hash verification logic is executed locally in your browser.
- Local Processing: Your Token and sensitive
Secret/Key are never uploaded to the server. This is crucial for handling tokens containing production environment permissions.
3. Common JWT Claim Field Reference
| Field |
Full Name |
Purpose |
| iss |
Issuer |
Token issuer. Usually the URL of the auth server. |
| sub |
Subject |
Subject of the token. Usually a user ID or account. |
| exp |
Expiration Time |
Expiration time. The point when the token becomes invalid. |
| iat |
Issued At |
Issued at time. When the token was created. |
| aud |
Audience |
Audience. The intended recipient service for this token. |
4. Brief Operation Flow
- Paste Token: Paste the complete JWT string (usually containing two dots
.) into the left input box.
- View Decoding: The decoded raw content of the Header and Payload is immediately displayed on the right.
- Verify Signature (Optional): * Enter your secret key or paste the public key in the "Verify Signature" area below.
- The system will provide real-time feedback on the signature verification result.
- Check Time: Review the "Validity Report" to confirm if the Token is in a usable state.
5. Why Choose This Site's JWT Assistant?
- Supports Multiple Algorithms: Perfectly compatible with mainstream algorithms like HS256, HS384, HS512, RS256.
- Developer-Friendly: Provides JSON formatting and beautification, supports one-click copying of the parsed Payload.
- Completely Free: No registration required, unlimited usage, an ideal companion for debugging microservice interfaces.
- Works Offline: Core logic is based on local JS; decoding can continue even after loading if the network is disconnected.