When a JWT 'just doesn't work', it's almost always one of: expired (exp claim in the past), not yet valid (nbf in the future), wrong audience (aud doesn't match what your API expects), wrong issuer (iss isn't the trusted source), or wrong algorithm (alg=none is rejected by serious validators). The JWT debugger flags each of these explicitly.
When to use this
Use to: debug 'invalid token' errors from your auth provider, audit a token after a customer-reported 'I can't log in' bug, verify the iss / aud / sub claims match what your API expects, check token expiry before retrying a failed request in production.
Frequently Asked Questions
What's the most common reason JWTs fail validation?
Clock skew. The token's exp time is in UTC; the server validating it might have a slightly off clock. Most JWT libraries have a 30-60 second leeway by default. If your server has wildly off time, tokens may appear expired when they shouldn't be. NTP-sync your servers.
Why does the debugger say my signature is invalid?
Two reasons: (1) The signing key (HMAC secret or public key) doesn't match the one used to sign. (2) The algorithm is 'none' (unsigned token) - many validators reject this by default. For HMAC, paste the secret to verify; for RS256, paste the PEM public key.
Powered by JWT Decoder.