Authentication providers like Auth0, Firebase, Supabase, and Clerk issue JWT tokens containing user claims, roles, permissions, and expiration data. Debugging authentication issues requires inspecting these tokens — but pasting them into third-party websites is a security risk. Our decoder runs 100% in your browser.
Auth0 Token Inspection
Auth0 JWTs contain claims like sub, iss, aud, and custom namespace claims (https://your-app.auth0.com/roles). Decode them here to verify that role-based access control (RBAC) claims are present and correct before debugging your API middleware.
Firebase Auth Tokens
Firebase ID tokens include firebase.sign_in_provider, email_verified, and custom claims set via admin.auth().setCustomUserClaims(). Decode tokens to verify custom claims are propagating correctly to your security rules and Cloud Functions.
Token Expiration Debugging
The most common auth bug is expired tokens. The decoder shows the exp (expiration) and iat (issued at) timestamps in human-readable format, making it immediately clear whether a token is still valid or needs refresh.
Privacy & Security
All processing happens in your browser's local memory. Your data — whether it's API responses containing authentication tokens, Kubernetes cluster configurations, or database exports with PII — never touches any external server. JSON Studio is 100% client-side by design.