JWT Depurador

Analiza en profundidad las cabeceras y claims de tokens. Procesado localmente para un análisis sin fugas.
Qué hace

Shows what is inside a JSON Web Token.

Úsalo para

Inspecting claims, expiration times, issuers, and token structure during debugging.

No lo uses para

Deciding that a token is trustworthy just because you can read it.

Compréndelo

Aprende el modelo mental antes de confiar en el resultado.

Contexto breve y práctico que explica para qué sirve la herramienta, cómo funciona y dónde la gente se equivoca.

In plain English

A JWT is a compact token format used to carry structured data such as user IDs, roles, or expiration times. This tool helps you read that data locally.

How it works

A JWT usually has three parts: header, payload, and signature. The first two parts are Base64URL-encoded JSON, so they are easy to decode. The signature is what tells you whether the token was actually issued by someone you trust.

A JWT is three parts joined by dots

Readable content lives in the header and payload. Trust comes from proper signature verification, not from decoding.

Where you'd use it

  • Checking when a token expires during app debugging.
  • Inspecting claims like issuer, subject, audience, or roles.
  • Understanding why a backend accepted or rejected a token.

Common mistake

Decoding a JWT only tells you what the token says, not whether it is genuine. A forged token can still decode perfectly.

Antecedentes

History / fun fact

JWT became popular because it is compact and easy to move between services. That convenience is also why people often over-trust it: the contents are readable, so it feels more trustworthy than it really is.

Security note

Real verification requires checking the signature with the correct secret or public key and validating claims like exp, aud, and iss in the right context.

Deeper look

Header vs payload

The header says how the token is signed. The payload carries claims. Both are readable after decoding and neither should be treated as trusted by themselves.

What signature verification requires

To verify a JWT, you need the expected algorithm, the right secret or public key, and claim validation logic that matches your application.