Skip to content
>_devvkit
$devvkit learn --guide jwt-debugging-handbook

JWT Debugging Handbook

5min
[auth][security][jwt]

TL;DR: Learn to decode, verify, and debug JWT tokens effectively. Covers common issues and security pitfalls.

JSON Web Tokens (JWT) are self-contained tokens that encode claims between parties as a JSON object. They consist of three parts: header, payload, and signature.


Header: Contains the signing algorithm (typically HS256 or RS256) and the token type (JWT). Always verify the algorithm matches what you expect. Algorithm confusion attacks happen when a server accepts "none" or switches from RS256 to HS256.


Payload: Contains claims like sub (subject), iat (issued at), exp (expiration), and custom data. Never put sensitive data in the payload. It is base64-encoded, not encrypted.


Signature: Created by base64-encoding the header and payload, then signing them with the secret (HMAC) or private key (RSA/ECDSA). The signature verifies the token has not been tampered with.


Common debugging steps: decode the token to inspect header and payload, verify the signature against your secret/public key, check exp has not passed, validate the iss and aud claims match your service, and ensure the algorithm is not "none".


Use the devvkit JWT Decoder to inspect tokens directly in your browser. No data is sent to any server.

Key takeaway

Learn to decode, verify, and debug JWT tokens effectively. Covers common issues and security pitfalls.