Why Another JWT Tool?
Most JWT debugging workflows involve copying a token into an online tool, inspecting the payload, and moving on. That works fine for simple use cases, but falls short when you need to do more — sign a token with a specific algorithm, verify a signature against a public key, or quickly check whether a token has expired.
The JWT Debugger is a free, browser-based tool that covers the full JWT workflow: decode, inspect, sign, and verify — all in one place, with no installation and no account required.
What It Does
Decode and inspect Paste any JWT and the tool splits it into header, payload, and signature — colour-coded so each part is visually distinct. Timestamp claims (iat, exp, nbf) are automatically converted to human-readable dates with a relative time display ("expires in 2h", "3 days ago").
Status at a glance A badge shows whether the token is Active, Expired, or has No Expiry set. If a token is expired, you see exactly how long ago — no manual Unix timestamp conversion needed.
Sign tokens Build a header and payload from scratch and sign them. All twelve standard algorithms are supported:
FamilyAlgorithmsHMACHS256, HS384, HS512RSA PKCS#1RS256, RS384, RS512RSA-PSSPS256, PS384, PS512ECDSAES256, ES384, ES512
For HMAC algorithms, enter your shared secret. For asymmetric algorithms, paste your PKCS#8 private key. The tool signs the token locally using crypto.subtle.sign and gives you the complete JWT.
Verify signatures Paste a JWT and your key, click Verify, and the tool confirms whether the signature is valid. For RSA and ECDSA, paste the public key in SPKI PEM format. Verification runs entirely in crypto.subtle.verify.
Edit and re-encode Modify the header or payload JSON and the encoded token updates in real time. Useful for quickly testing how a claim change affects the token structure, or for building a test token before signing it.
How It Works Under the Hood
The tool is built on the Web Crypto API — a browser-native cryptography interface available in all modern browsers. There are no third-party cryptography libraries. Every signing and verification operation calls crypto.subtle directly.
Base64url encoding and decoding are handled with TextEncoder and atob/btoa. PEM keys are stripped of their headers and decoded from base64 before being passed to crypto.subtle.importKey. The signing input follows the JWT spec — base64url(header) + "." + base64url(payload) — and the resulting signature bytes are base64url-encoded and appended as the third segment.
If you want to verify the behaviour yourself: open DevTools, go to the Network tab, and paste a token. You will see zero outbound requests.
Try It
Open the JWT Debugger and paste any JWT into the top field. The decoded header and payload appear immediately. No account, no signup.
If you want to understand the theory behind what you are looking at — how the header, payload, and signature fit together, what RS256 means, and how the private/public key split works — the companion article JWT Shared Secret: How JWTs are Signed and Shared Across Services covers the fundamentals.
The JWT Debugger is one of several developer tools at SolutionToolkit. All tools run client-side with no server-side processing.
Top comments (0)