Free JWT Debugger & Decoder
Paste a JSON Web Token to decode its header and payload · and get flagged for alg:none, weak algorithms, missing expiry, and sensitive claims.
Frequently asked
Is my token sent anywhere?
No. Decoding, security analysis, and optional HS256 signature verification all run entirely in your browser with the Web Crypto API. The token never touches a server.
What security issues does it flag?
alg:none (unsigned tokens), weak or symmetric algorithms where asymmetric is expected, missing or far-future expiry, tokens with no exp at all, and sensitive claim names (password, secret, ssn, credit_card) that shouldn't live in a JWT.
Can it verify the signature?
For HS256 tokens you can paste the secret and the tool will verify the signature locally. RS/ES signatures are decoded and inspected but not cryptographically verified in the browser.
Run a full security scan →