Clerk JWT Debugger

Decode and inspect Clerk session tokens with org_id, org_role, and org_permissions surfaced.

shield

Private: Decoding, analysis, signature verification, and token generation all run in your browser. Nothing is sent to any server, except a JWKS URL you explicitly enter and click Verify on.

At a glance

Active org claim
org_id
Role claim
org_role (e.g., org:admin)
Permissions claim
org_permissions (string array)
Session id claim
sid
Authorized party claim
azp
Default algorithm
RS256

Paste a Clerk session JWT and this debugger highlights the multi-organization claims most generic JWT tools ignore: which organization the user is currently active in (org_id), their role within it (org_role), and the array of scoped permissions (org_permissions). It also flags common Clerk pitfalls like long-lived tokens, missing aud claims, and tokens that have already expired.

How Clerk encodes multi-organization context

Clerk's session JWT places the currently-selected organization in `org_id` and the user's role in `org_role`. Crucially, this is the *active* organization only — if the user belongs to multiple orgs, the others are not in the token. Switching orgs in Clerk's frontend triggers a new session refresh that re-issues the JWT with the new `org_id`.

For applications that need to know all of a user's memberships up front (e.g., to render an "org switcher" without a round trip), use Clerk's `organizationMemberships` API server-side rather than expecting them in the token.

Common Clerk JWT debugging issues this tool flags

Wildcard permissions: if your custom role includes a wildcard like `org:*` or `*:*`, this tool flags it for review. Wildcards are a common shortcut that becomes a security smell as the permission catalog grows.

Missing aud claim: Clerk session tokens don't include `aud` by default. If you need it (e.g., for downstream API gateways that validate audience), add it via a JWT template — and this tool will note its absence on the default session token.

Algorithm confusion: Clerk uses RS256 by default for session tokens. If you see HS256, you're likely looking at a JWT template configured with a shared secret — confirm that secret isn't embedded in any client-side code.

Frequently asked questions

Where does Clerk put the active organization in a JWT?expand_more
Clerk puts the active organization id in the `org_id` claim, the slug in `org_slug`, and the user's role within that org in `org_role` (formatted as `org:admin`, `org:member`, or your custom role). Permissions for the active org are in `org_permissions` as an array of strings like `org:sys_billing:manage`.
How do I get Clerk org claims into a session JWT?expand_more
Org-scoped claims appear automatically once you enable Organizations in your Clerk instance and the user has selected an active organization. If you don't see `org_id` in the token, double-check that the user is using a session that has `setActive({ organization: ... })` applied — personal-account sessions don't carry org claims.
Why does my Clerk JWT have no `exp` field?expand_more
It should — Clerk-issued session tokens always include `exp` (typically a 1-minute lifetime, refreshed automatically by the Clerk frontend). If you're looking at a Clerk JWT template token instead of a session token, lifetimes can be longer. If `exp` is genuinely missing, the token didn't come from Clerk's standard issuance flow.
Can I use this debugger with Clerk JWT templates?expand_more
Yes. Clerk JWT templates produce tokens that follow the same structure as session tokens but with custom claims. Paste the template-issued token here and the analyzer will treat it like any other JWT — provider detection still fires on `iss` and `azp`, and your custom claims appear in the Custom claims panel.

Related guides

WorkOS JWT Debugger
Decode WorkOS AuthKit session tokens with organization context, roles, and permissions.
Auth0 Multi-Tenant JWT Debugger
Decode Auth0 access and ID tokens with Organizations, namespaced custom claims, and RBAC permissions.
org_id, tenant_id, workspace_id: which claim should you use?
Different SaaS auth providers use different claim names for the same concept. Here's when to use each, and how to migrate between them.

Related Tools

vpn_key

JWT Decoder

Decode and inspect JWT tokens — header, payload, timestamps.

terminal

Base64

Encode and decode Base64 strings instantly.

tag

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files. Supports HMAC authentication codes.

fingerprint

UUID Generator

Generate random UUID v4 identifiers. Bulk generate up to 100 UUIDs, toggle uppercase/lowercase and hyphen formatting.

code

JSON Formatter

Clean, minify, and validate JSON data structures.