Stack Auth JWT Debugger

Decode Stack Auth tokens with selected_team_id, team_role, and team memberships.

shield

Private: Decoding, analysis, signature verification, and token generation all run in your browser. Nothing is sent to any server, except a JWKS URL you explicitly enter and click Verify on.

At a glance

Active team claim
selected_team_id
Role claim
team_role
Memberships claim
teams (array of {id, name, role})
User identifier
sub
Default algorithm
RS256

Stack Auth uses a team-centric model where each user can belong to multiple teams (the equivalent of orgs/tenants). The active team is in `selected_team_id` with the role in `team_role`. This debugger surfaces the active team plus the full memberships array, so you can see at a glance which teams a user has access to and what role they hold in each.

Stack Auth's team-based model

Where Clerk and WorkOS use the term "organization", Stack Auth uses "team". The mechanics are nearly identical: a user belongs to N teams, has a role in each, and the session JWT reflects which team is currently active.

The difference shows up in the claim names. Stack Auth uses `selected_team_id` (not `org_id`), `team_role` (not `org_role`), and `teams` (not `organizations`). This debugger's tenant-claim registry maps all of these to the same canonical concepts so the Summary card reads naturally regardless of provider.

Frequently asked questions

Does Stack Auth support multiple teams per user?expand_more
Yes. Stack Auth's team model maps cleanly to multi-tenant SaaS — a user can belong to multiple teams and switch between them. The session token always reflects the currently selected team via `selected_team_id` and includes the full memberships list in `teams`.
How do I switch teams in Stack Auth?expand_more
Call the team-switching API on the Stack Auth client. The session refreshes and the new JWT carries the new `selected_team_id` and `team_role`. The `teams` array remains the same — switching changes which team is active, not which teams the user belongs to.
Can permissions be team-scoped?expand_more
Yes. Stack Auth supports team-scoped permission claims. The exact claim name depends on your project's configuration; the analyzer's Permissions panel auto-detects common formats (resource:action strings, OAuth scopes, flat arrays).

Related guides

Clerk JWT Debugger
Decode and inspect Clerk session tokens with org_id, org_role, and org_permissions surfaced.
WorkOS JWT Debugger
Decode WorkOS AuthKit session tokens with organization context, roles, and permissions.
org_id, tenant_id, workspace_id: which claim should you use?
Different SaaS auth providers use different claim names for the same concept. Here's when to use each, and how to migrate between them.

Related Tools

vpn_key

JWT Decoder

Decode and inspect JWT tokens — header, payload, timestamps.

terminal

Base64

Encode and decode Base64 strings instantly.

tag

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files. Supports HMAC authentication codes.

fingerprint

UUID Generator

Generate random UUID v4 identifiers. Bulk generate up to 100 UUIDs, toggle uppercase/lowercase and hyphen formatting.

code

JSON Formatter

Clean, minify, and validate JSON data structures.