JWT Decoder & VerifierPrivacy: All processing runs locally
Decode, verify signatures, analyze claims, and generate JSON Web Tokens. Everything runs locally in your browser.
Header
Payload
Signature
How It Works
A JSON Web Token (JWT) consists of three Base64URL-encoded parts separated by dots: header.payload.signature.
The header contains the signing algorithm (e.g., HS256, RS256, ES256) and token type. The payload contains claims — statements about the user and metadata such as issuer (iss), subject (sub), expiration time (exp), and issued at (iat).
Signature verification uses the Web Crypto API to validate HMAC (HS256/384/512), RSA (RS256/384/512), and ECDSA (ES256) signatures entirely in your browser. No keys or tokens are ever transmitted.
The security audit checks for common JWT vulnerabilities: unsigned tokens (alg=none), missing expiration, weak secrets, overly long validity, and expired tokens.
The generator creates properly signed JWTs from a payload using the Web Crypto API. Supports all major algorithms.