JWT & JWE Debugger

Debug, encode, decode, sign, verify, encrypt, and decrypt JWT and JWE tokens

Your data security is our top priority. All encoding, decoding, encryption and decryption happen in this browser. This tool does not store or send your JWT and JWE outside of the browser. See source code in: https://github.com/authgear/authgear-widget-jwt-debugger

Encode/Decode JWT
Quickly create and inspect JWTs. Paste a JWT to decode the header and payload, or craft your own for testing.
Sign & Verify JWT
Generate cryptographic signatures when creating JWTs, and verify existing JWT signatures to confirm token authenticity and integrity.
JWE Encryption
Encrypt any JWT into a JWE using a public key, ensuring data remains confidential during transmission.
JWE Decryption
Decrypt a JWE token to retrieve the original JWT—including the payload—for analysis.

How the Tool Works

Step 1.
Paste or Generate a JWT:
  • Input your JWT to see its decoded header and payload instantly.
  • The tool can verify the JWT’s signature to confirm authenticity and integrity, highlighting whether the token is valid or has been tampered with.
Step 2.
Encode and Sign JWT:
  • Create a new JWT by providing your custom header and payload.
  • The tool will generate a digital signature to complete and secure the token, allowing you to use it immediately with validated claims.
Step 3.
Encrypt JWT to JWE:
  • Enter a public key to encrypt the signed JWT, producing a JWE for secure transmission where confidentiality is required.
Step 4.
Decrypt JWE:
  • Input the encrypted JWE and the relevant private key to decrypt it and retrieve the original JWT.
Step 5.
Inspect Claims:
  • Inspect standard fields and any custom claims, all with instant verification results for accuracy and compliance.

Ready to Supercharge Your Authentication?

Experience seamless, secure, and scalable identity management with Authgear.

Get Started for Free
What is a JWT (JSON Web Token)?
A JWT (JSON Web Token) is an open standard (RFC 7519) for transmitting information securely between parties as a compact, URL-safe JSON object. JWTs are widely used in authentication systems, enabling stateless session management and API security. A standard JWT has three parts:
Header: Specifies the token type and hashing algorithm.
Payload: Contains claims—statements about the user and additional metadata.
Signature: Verifies that the sender of the JWT is who it says it is and ensures the message wasn’t changed along the way.
Common Use Cases:
User authentication and single sign-on (SSO)
Secure API authentication and authorization
Information exchange between applications
What is a JWE (JSON Web Encryption)?
A JWE (JSON Web Encryption) is another open standard (RFC 7516) for encrypting content, providing confidentiality for transmitted information. JWE wraps content—such as a signed JWT—in an encrypted format that only intended parties can decrypt and read. A standard JWE structure:
Protected Header
Encrypted Key
Initialization Vector
Ciphertext (the actual encrypted content)
Authentication Tag
Common Use Cases:
Protect sensitive JWT payloads in transit
Secure confidential data exchange between services
Layer additional security on top of standard JWTs
Best Practices
Signature: Verifies that the sender of the JWT is who it says it is and ensures the message wasn’t changed along the way.
Payload: Contains claims—statements about the user and additional metadata.
Header: Specifies the token type and hashing algorithm.