JWT Debugger

Ponor sa do hlavičiek a claims tokenov. Spracované lokálne pre analýzu bez úniku dát.

Zakódovaný token

Čo to robí

Shows what is inside a JSON Web Token.

Na čo to použiť

Inspecting claims, expiration times, issuers, and token structure during debugging.

Na čo to nie je

Deciding that a token is trustworthy just because you can read it.

In plain English

A JWT is a compact token format used to carry structured data such as user IDs, roles, or expiration times. This tool helps you read that data locally.

How it works

A JWT usually has three parts: header, payload, and signature. The first two parts are Base64URL-encoded JSON, so they are easy to decode. The signature is what tells you whether the token was actually issued by someone you trust.

A JWT is three parts joined by dots

Readable content lives in the header and payload. Trust comes from proper signature verification, not from decoding.

Where you'd use it

Checking when a token expires during app debugging.
Inspecting claims like issuer, subject, audience, or roles.
Understanding why a backend accepted or rejected a token.

Common mistake

Decoding a JWT only tells you what the token says, not whether it is genuine. A forged token can still decode perfectly.

Pozadie

History / fun fact

JWT became popular because it is compact and easy to move between services. That convenience is also why people often over-trust it: the contents are readable, so it feels more trustworthy than it really is.

Security note

Real verification requires checking the signature with the correct secret or public key and validating claims like exp, aud, and iss in the right context.

Deeper look

Header vs payload

The header says how the token is signed. The payload carries claims. Both are readable after decoding and neither should be treated as trusted by themselves.

What signature verification requires

To verify a JWT, you need the expected algorithm, the right secret or public key, and claim validation logic that matches your application.