WebToolsBox
Back to Blog
Security7 min read·March 2, 2026

JWT Tokens Explained: What They Are and How to Debug Them

Understand JSON Web Tokens (JWT) — how they work, their structure, common security issues, and how to decode and debug them with free online tools.

What Is a JWT Token?

A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between parties. JWTs are the standard for authentication in modern web applications — when you log into a website, you're likely using a JWT.

JWT Structure

A JWT consists of three parts separated by dots:

xxxxx.yyyyy.zzzzz

header.payload.signature

Header

Contains the token type and signing algorithm:

{

  "alg": "HS256",


  "typ": "JWT"


}

Payload

Contains the claims — the actual data being transmitted:

{

  "sub": "1234567890",


  "name": "John Doe",


  "role": "admin",


  "iat": 1516239022,


  "exp": 1516242622


}

Signature

Verifies the token hasn't been tampered with:

HMACSHA256(

  base64UrlEncode(header) + "." +


  base64UrlEncode(payload),


  secret


)

How JWT Authentication Works

  • User logs in with username and password
  • Server verifies credentials and creates a JWT
  • Server sends the JWT to the client
  • Client stores the JWT (usually in localStorage or cookies)
  • Client sends the JWT with every subsequent request
  • Server verifies the JWT signature and grants access

    • Common JWT Claims

    ClaimNameDescription

    issIssuerWho created the token
    subSubjectWho the token is about
    audAudienceWho the token is for
    expExpirationWhen the token expires
    iatIssued AtWhen the token was created
    nbfNot BeforeToken not valid before this time
    jtiJWT IDUnique token identifier

    Debugging JWT Tokens

    When authentication breaks, you need to inspect the JWT. Here's how:

    Step 1: Decode the Token

    Open our JWT Decoder tool and paste your token. It instantly shows the decoded header and payload.

    Step 2: Check Expiration

    Look at the exp claim. If the current timestamp is past the expiration, the token is expired. This is the most common authentication issue.

    Step 3: Verify Claims

    Check that iss, aud, and sub match expected values. Mismatched claims cause authorization failures.

    Step 4: Check the Algorithm

    The header's alg field should match your server's configuration. Common algorithms:

    • HS256 — HMAC with SHA-256 (symmetric)
    • RS256 — RSA with SHA-256 (asymmetric)
    • ES256 — ECDSA with SHA-256 (asymmetric)

    JWT Security Best Practices

    Do:

    • Set short expiration times (15 minutes for access tokens)
    • Use refresh tokens for long sessions
    • Store tokens in httpOnly cookies (not localStorage)
    • Validate all claims on the server
    • Use strong signing secrets (256+ bits)

    Don't:

    • Store sensitive data in the payload (it's Base64 encoded, not encrypted)
    • Use the none algorithm in production
    • Put tokens in URL query parameters
    • Trust the client-side token without server verification
    • Share signing secrets

    JWT vs Session-Based Authentication

    FeatureJWTSessions

    StorageClient-sideServer-side
    ScalabilityExcellentRequires shared storage
    RevocationDifficultEasy
    StatelessYesNo
    SizeLargerSmall session ID

    Common JWT Mistakes

  • Not checking expiration — always verify the exp claim
  • Storing in localStorage — vulnerable to XSS attacks
  • Using weak secrets — brute force attacks can crack weak keys
  • Not rotating secrets — periodically change signing keys
  • Trusting the payload blindly — always verify the signature first

    • Decode JWT Tokens Free

    Use our JWT Decoder to inspect any JWT token instantly. See the header, payload, and expiration time — all processed in your browser with zero data sent to any server.

    #jwt#json web tokens#authentication#jwt decoder#web security

    Try Our Free Online Tools

    100+ free tools for developers, designers, and everyone. No sign-up required.

    Browse All Tools