Inspectors

JWT debugger

Decode tokens, see claims, spot expired sessions.

Install for Chrome →All features

Tools → Inspect → JWT debugger · 7-day free trial · Premium $9.99 / yr

Try it now·runs locally · nothing uploaded

JWT (header.payload.signature)

Decoded

✓ Currently valid

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Alice",
  "iat": 1516239022,
  "exp": 1999999999,
  "roles": [
    "admin"
  ]
}

Annotated claims

sub (Subject) = 1234567890
name (Name) = Alice
iat (Issued at) = 1516239022 · 2018-01-18T01:30:22.000Z (8 years ago)
exp (Expiration) = 1999999999 · 2033-05-18T03:33:19.000Z (in 7 years)
roles = ["admin"]

Signature is intentionally not verified — that needs a key you haven’t shared. The extension’s JWT signer handles HMAC signing if you have the secret.

Want this and 50 more tools at one keyboard shortcut, with collections and persistence?Install free trial →

★ Premium

Built for the things AI can’t fake

This tool runs free, right here. The extension adds three things a web widget can’t:

Start 7-day trial→

★ Flagship

Playground

↗

JS / TS scratchpad — sandboxed and instrumented.

Paste real code, hit Run. Console + network monitor + watch expressions all in one panel.

·Real ES modules · top-level await
·URL imports — esm.sh & friends
·Live fetch monitor (every call)
·Watch expressions in your scope
·10s sandbox timeout · zero CORS pain

HTTP client

↗

Postman-style request runner.

Save collections, share variables, hit any API. Includes GraphQL with introspection, OpenAPI / cURL import.

·Bearer / Basic / API-key auth
·GraphQL · introspection
·OpenAPI 3.x · cURL import
·Copy as fetch / axios / Python

Realtime (WS + SSE)

↗

Stream-protocol tester — what Postman doesn’t do well.

WebSocket + Server-Sent Events with custom auth headers, auto-reconnect, JSON pretty-print.

·wss:// + ws:// + subprotocols
·SSE via fetch — Authorization works
·Auto-reconnect with backoff
·Send composer · ⌘ + Enter

What it does

A JWT is a signed, base64-encoded token APIs use to prove who you are: three dot-separated parts (header.payload.signature). The header says how it was signed, the payload contains "claims" (user ID, expiration, roles), and the signature stops people from forging tokens.

The JWT debugger decodes header + payload so you can read the claims. Standard claims like exp (expiration) and iat (issued at) get human-readable timestamps; expired tokens light up red.

Why use VibeGear's jwt debugger

✓Annotates standard claims with explanations
✓Expiration shown as both UTC and "in 2 hours" relative time
✓Algorithm column with descriptive name
✓Local-only — your token never leaves the browser

How to use it

1Tools → Inspect → JWT debugger.
2Paste your JWT.
3Header, payload, and annotated claims appear instantly.

Frequently asked

Does it verify the signature?

No — and we’re explicit about that. Verification needs the secret or public key, which you haven’t given us. Faking a "verified" badge from the client side would be misleading. Use the JWT signer if you have the secret and want to sign new tokens.

Related tools

JWT signer (HMAC)

Mint test JWTs with arbitrary claims and a secret.

OAuth 2.0 helper (PKCE + URLs)

Generate PKCE values, build authorize URLs, parse return URLs.

Base64 encoder & decoder

Encode and decode base64 (and base64url) — text or binary.

★ Premium

One install. Every tool above.

7 days free, then VibeGear Premium is $9.99 / €9.99 per year. Everything runs locally.

Install & start trial →→

Language

English Español