A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It consists of three Base64URL-encoded parts: a header (algorithm and type), a payload (claims/data), and a signature. JWTs are commonly used for authentication and information exchange in web applications.

Is this JWT debugger safe to use?

Yes. NexTool's JWT Debugger runs entirely in your browser using client-side JavaScript. No tokens or secrets are ever sent to any server. All decoding, verification, and signing happens locally on your machine.

What signing algorithms are supported?

This tool supports HMAC-based signing algorithms: HS256 (HMAC-SHA256), HS384 (HMAC-SHA384), and HS512 (HMAC-SHA512). These use the Web Crypto API built into your browser for secure cryptographic operations.

Can I create new JWT tokens with this tool?

Yes. Switch to the Create Token tab, enter your header and payload JSON, provide a secret key, select an algorithm, and click Sign & Create JWT. The tool will generate a valid, signed JWT token entirely in your browser.

Free JWT Debugger — Decode, Verify & Create JWT Tokens

Registered JWT Claims (RFC 7519)

issIssuer

Identifies the principal that issued the JWT. This is typically a URL or string that identifies the authorization server or service that created the token.

subSubject

Identifies the principal that is the subject of the JWT. The claims in a JWT are usually statements about the subject. The subject value must be scoped to be locally unique or globally unique.

audAudience

Identifies the recipients that the JWT is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. If the processing principal does not match, the JWT must be rejected.

expExpiration Time

Identifies the expiration time on or after which the JWT must not be accepted for processing. The value must be a NumericDate (seconds since Unix epoch). Implementors may provide a small leeway to account for clock skew.

nbfNot Before

Identifies the time before which the JWT must not be accepted for processing. The value must be a NumericDate. This allows tokens to be created in advance that are only valid after a specific point in time.

iatIssued At

Identifies the time at which the JWT was issued. The value must be a NumericDate. This claim can be used to determine the age of the JWT and is often used for token rotation policies.

jtiJWT ID

Provides a unique identifier for the JWT. The identifier value must be assigned in a way that ensures there is a negligible probability of duplication. This can be used to prevent the JWT from being replayed (one-time-use tokens).

Common Header Parameters

algAlgorithm

Identifies the cryptographic algorithm used to secure the JWS. Common values: HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), none (unsecured).

typType

Declares the media type of the complete JWT. The value "JWT" is conventionally used to indicate this is a JSON Web Token. This parameter is optional and is ignored by JWT implementations.

kidKey ID

A hint indicating which key was used to secure the JWS. This allows originators to explicitly signal a change of key to recipients. Used in systems with multiple signing keys (key rotation).

Free JWT Debugger

Registered JWT Claims (RFC 7519)

Common Header Parameters

Need something more powerful?

Get NexTool Pro