JWT Debogueur

Analyse approfondie des en-tetes et des claims de jetons. Traitement local pour une analyse sans fuite.
Ce que ca fait

Shows what is inside a JSON Web Token.

A utiliser pour

Inspecting claims, expiration times, issuers, and token structure during debugging.

A ne pas utiliser pour

Deciding that a token is trustworthy just because you can read it.

Comprendre

Maitrisez le modele mental avant de faire confiance au resultat.

Un contexte court et pratique qui explique a quoi sert l'outil, comment il fonctionne et ou les erreurs courantes se produisent.

In plain English

A JWT is a compact token format used to carry structured data such as user IDs, roles, or expiration times. This tool helps you read that data locally.

How it works

A JWT usually has three parts: header, payload, and signature. The first two parts are Base64URL-encoded JSON, so they are easy to decode. The signature is what tells you whether the token was actually issued by someone you trust.

A JWT is three parts joined by dots

Readable content lives in the header and payload. Trust comes from proper signature verification, not from decoding.

Where you'd use it

  • Checking when a token expires during app debugging.
  • Inspecting claims like issuer, subject, audience, or roles.
  • Understanding why a backend accepted or rejected a token.

Common mistake

Decoding a JWT only tells you what the token says, not whether it is genuine. A forged token can still decode perfectly.

Contexte

History / fun fact

JWT became popular because it is compact and easy to move between services. That convenience is also why people often over-trust it: the contents are readable, so it feels more trustworthy than it really is.

Security note

Real verification requires checking the signature with the correct secret or public key and validating claims like exp, aud, and iss in the right context.

Deeper look

Header vs payload

The header says how the token is signed. The payload carries claims. Both are readable after decoding and neither should be treated as trusted by themselves.

What signature verification requires

To verify a JWT, you need the expected algorithm, the right secret or public key, and claim validation logic that matches your application.