TFT

Debug & Test JWT Tokens Step-by-Step

Debug JWT validation issues and test tokens against custom rules. Our tool simulates verification, highlights errors, and provides code snippets to help you fix authentication problems in your application.

JWT Token Debugger

How JWT Debugging Works

The debugger performs comprehensive validation on JWT tokens, checking structure, encoding, and claims. It splits the token into three parts and validates each segment independently.

For the header and payload, it attempts Base64URL decoding followed by JSON parsing. The tool flags missing required fields, suspicious patterns, and potential security issues.

Validation checks performed:

  • Structure - Exactly 3 dot-separated segments
  • Header validity - Contains alg field, valid JSON
  • Payload validity - Valid JSON, no syntax errors
  • Expiry status - Compares exp against current time
  • Not-before check - Validates nbf if present
  • Format warnings - Whitespace, unusual length, empty segments

Errors indicate the token is malformed and won't work. Warnings flag potential issues that might cause problems in production (like missing exp claims).

When You'd Actually Use This

Troubleshooting 401 authentication errors

Your API returns "invalid token" but you don't know why. The debugger reveals the token expired 2 hours ago or has a malformed header.

Validating tokens from new auth providers

Integrating Auth0 for the first time? Debug their sample tokens to understand the claim structure before writing parsing code.

Testing token generation code

You wrote a JWT signing function. Debug the output to catch bugs like missing claims, wrong timestamp formats, or encoding errors.

Security code reviews

Reviewing auth code? Debug tokens to verify they include security-critical claims like exp, iss, and aud.

Learning JWT structure

New to JWTs? Debug various tokens to see how different providers structure headers and what claims they include by default.

Pre-flight token validation

Before sending tokens to your API, debug them locally. Catch formatting issues early instead of debugging network requests.

What to Know Before Using

Debugger doesn't verify signatures.It checks format and claims, not cryptographic validity. A token can pass debugging but still be forged. Always verify signatures in production.

Errors vs. warnings matter.Errors mean the token is broken and won't work. Warnings indicate suboptimal configuration (like missing exp) that might work but isn't recommended.

Expiry is checked against your system clock.If your computer's clock is wrong, expiry warnings will be inaccurate. Sync your clock or use server-side validation for production.

Some warnings are context-dependent.Missing aud might be fine for single-service apps but dangerous for microservices. Consider your architecture when evaluating warnings.

Security reminder: Never debug production tokens containing real user data in online tools. Use development tokens or locally-hosted debuggers for sensitive environments.

Common Questions

Why does my token show "missing alg field"?

The header JSON doesn't include an alg property. This is required by the JWT spec. Check your token generation code—the header should be { alg: "HS256", typ: "JWT" }.

What does "token contains whitespace" mean?

JWTs shouldn't have spaces, newlines, or tabs. Whitespace often gets introduced when copying from logs or emails. Trim the token before using it.

Is a warning about missing exp serious?

Yes, for most use cases. Tokens without exp never expire—a security risk if the token is compromised. Add expiry unless you have a specific reason not to.

Why does the debugger say "invalid Base64URL"?

The segment uses standard Base64 characters (+, /) instead of URL-safe ones (-, _). Or padding is incorrect. Regenerate the token with proper Base64URL encoding.

Can this debug encrypted JWTs (JWE)?

No. JWE tokens have 5 segments and encrypted payloads. This debugger handles standard JWS tokens (3 segments). JWE requires decryption with the appropriate key first.

The debugger says my token is valid but my app rejects it. Why?

Format validity ≠ signature validity. The token might be well-formed but signed with the wrong key, or your app expects different claims. Check signature verification and claim validation separately.

Other Free Tools

JWT Decoder & Validator

Decode & Validate JWT Tokens Instantly

JWT Generator & Signer

Generate & Sign Custom JWT Tokens

JWT Secret & Key Generator

Generate JWT Secrets & Key Pairs

JWT Claim Extractor & Formatter

Extract & Format JWT Claims

JWT Expiry Checker & Timestamp Converter

Check JWT Expiry & Convert Timestamps

ASCII to Hex Converter

ASCII to Hex Converter: Text to Hexadecimal Translator

Barcode Generator

Free Barcode Generator

Binary to Text Converter

Binary to Text Converter

Free Printable Calendar Maker

Create & Print Your Custom Calendar

Pie Chart Maker

Free Pie Chart Maker Online