Birdor

Tool Guide

JWT Debugger & Decoder

Inspect, decode, and optionally verify JSON Web Tokens (JWT) fully in your browser. The goal is to make JWTs understandable and trustworthy without sending them to any third-party service.

What this tool does

  • Decode JWT header and payload using Base64URL rules.
  • Pretty-print claims and highlight standard fields like exp/iat.
  • Optionally verify signatures for HS256 / HS384 / HS512 using a shared secret you provide locally.

No network calls are made with your token or secret; everything is computed in the browser environment.

When to use it

  • Debugging why an authentication flow is failing.
  • Checking whether a token's expiry time matches expectations.
  • Inspecting custom claims (roles, scopes, tenant IDs, etc.).
  • Teaching or learning how JWTs are structured without needing a backend.

How it works internally

Safe token splitting

A JWT is expected to have three segments separated by dots:header.payload.signature. The tool checks this up front and returns clear errors if the structure is incomplete.

Base64URL decoding

JWTs use Base64URL encoding, which tweaks the character set and padding rules. The debugger normalizes each segment (adding padding, switching -/_ back to +/ ) before decoding and parsing JSON.

Signature verification (HS256/384/512)

When you provide a shared secret and choose an algorithm, the tool computes an HMAC over header.payload using WebCrypto, converts the result to Base64URL, and compares it with the token's signature segment.

Claim inspection

Standard claims such as exp, iat, and nbf are annotated with human-readable dates and status (for example, "already expired" or "not yet valid").

Common usage patterns

Decode-only mode

  1. Paste the token into the input box.
  2. Review the header algorithm and type.
  3. Inspect the payload claims and timestamps.

Verify signature mode

  1. Paste the token.
  2. Select the expected HMAC algorithm.
  3. Enter the shared secret used by your backend.
  4. Check whether the computed signature matches.

Roadmap

  • Support for RS256 / ES256 verification with public keys.
  • Side-by-side comparison of two tokens.
  • Detection of missing or risky claims (e.g. no exp).
  • Copyable snippets for popular JWT libraries.