JWT Decoder, Verifier & Generator

Decode any JWT to see its header, payload, and signature. Verify signatures across all common algorithms — HS256, RS256, ES256, EdDSA, PSS, and more. Generate new signed tokens for testing. Scan tokens for the common JWT vulnerabilities (alg:none attacks, weak HMAC secrets, expired claims). Everything runs in your browser via WebCrypto; nothing transmits.

How to use the JWT Decoder

For most use cases, Decode mode is what you want. Paste a JWT — the three Base64URL-encoded segments separated by dots — and the tool splits it into header, payload, and signature, decodes the JSON of the first two, and highlights interesting claims (exp warnings, iss mismatches, missing standard fields).

When you need to confirm a token wasn't tampered with, switch to Verify and paste the secret (for HMAC algorithms) or the issuer's public key in PEM format (for RSA / ECDSA / EdDSA). The result is a clear pass/fail with a reason for any failure: bad signature, expired token, algorithm mismatch, malformed key.

Generate mode is for testing your own verifier. Pick an algorithm, edit the payload JSON, paste a secret, and get a freshly signed token. The example payload uses standard claims (sub, iat, exp) — adjust them or add custom claims as needed.

Vulnerability scan runs four checks: alg:none detection, algorithm confusion detection, weak HMAC secret heuristics, and claim validity. Useful when you're auditing a token issued by a third-party system you don't fully control.

What is a JWT?

A JSON Web Token is a compact, URL-safe way to transmit claims between two parties. The token is three Base64URL-encoded segments separated by dots: 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NSIsIm5hbWUiOiJBbGljZSJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
  • Header (first segment): JSON describing the algorithm (alg) and token type (typ), plus optionally a key identifier (kid) and JWK Set URL (jku).
  • Payload (second segment): JSON containing the claims. Standard claims are iss (issuer), sub (subject), aud (audience), exp (expiry), nbf (not before), iat (issued at), jti (token ID). Application-specific claims are added freely.
  • Signature (third segment): A cryptographic signature over header.payload using the algorithm named in the header. Verifies that the token was issued by someone with access to the signing key and hasn't been tampered with in transit.

The payload is not encrypted — it's Base64URL encoded, which is trivially reversible. Anyone with the token can read its claims. The signature only guarantees authenticity, not confidentiality. For confidentiality, use JWE (JSON Web Encryption) or transport the token over TLS only.

JWT signing algorithms and when to use each

AlgorithmTypeKeyUse case
HS256 / HS384 / HS512HMAC + SHA-2Shared secretWhen issuer and verifier are the same service. Simplest setup; the secret must stay private.
RS256 / RS384 / RS512RSA + SHA-2Private key issues, public key verifiesWhen verifiers are separate services (microservices, third parties). Most common asymmetric choice. Use 2048+ bit keys.
ES256 / ES384 / ES512ECDSA + SHA-2EC private/publicSmaller signatures, faster verification. Preferred over RSA for mobile clients.
PS256 / PS384 / PS512RSA-PSS + SHA-2RSA private/publicRSASSA-PSS — RSA with probabilistic padding. Stronger security properties than RS256. Less widely supported.
EdDSAEd25519 / Ed448EdDSA private/publicModern, fast, small signatures. Best choice for new systems. Adoption growing but not universal yet.
For new systems: ES256 or EdDSA. Both are smaller, faster, and as secure as RS256.

Common JWT vulnerabilities to watch for

Most JWT bugs in the wild fall into one of these four patterns. The vulnerability scanner in this tool checks all of them.

  1. The alg:none attack. An attacker forges a token with header {"alg":"none"} and an empty signature. A verifier that trusts the header's algorithm and accepts an empty signature when the algorithm is "none" will accept anything. Fix: verifiers must check the algorithm against an allowlist before verifying, and never accept "none."
  2. Algorithm confusion. An attacker takes a public key intended for RS256 verification and uses it as the HMAC secret to sign an HS256 token. A verifier that uses the same library API for both algorithms — passing the key as a generic "secret" — will verify the attacker's token as legitimate. Fix: verifiers must hard-code the expected algorithm, not read it from the header.
  3. Weak HMAC secrets. HS256 with a secret shorter than 32 bytes (the digest size) is crackable offline within hours. HS384/512 with shorter-than-digest secrets is the same problem. Fix: HMAC secrets must be cryptographically random and at least as long as the digest output (32/48/64 bytes for HS256/384/512).
  4. Expired or future-dated tokens accepted. Verifiers must check exp (expiry), nbf (not before), and clock-skew tolerance. Servers with badly-synced clocks sometimes accept tokens that are minutes expired or hours in the future.

Frequently asked questions

Is it safe to paste production JWTs into this tool?
Yes — with one caveat. All decoding and verification happens in your browser using the WebCrypto API. The token never leaves your machine. The caveat: if you have a browser extension that inspects page content (some "developer tools" or password managers do), that extension can read what you paste. For maximum safety, use this in a private/incognito window.

Which signing algorithms does the verifier support?
HMAC: HS256, HS384, HS512. RSA: RS256, RS384, RS512. ECDSA: ES256, ES384, ES512. EdDSA (Ed25519). RSA-PSS: PS256, PS384, PS512. These cover essentially every JWT in production. The deliberately-broken alg:none is detected but never accepted; the scan mode flags it as a critical vulnerability.

What does the vulnerability scan check?
Four classes of issue: (1) alg:none attacks where the token claims no signature is needed; (2) algorithm confusion where an RS256 verifier is given an HS256 token signed with the public key; (3) weak HMAC secrets — secrets shorter than the digest output for HS256/384/512; (4) expired or not-yet-valid claims (exp, nbf, iat sanity). It does not attempt to crack the secret or guess the signing key.

Can I generate a JWT here for testing?
Yes — the Generate mode lets you build a header and payload, paste a secret or key, and produce a valid signed token. Useful for testing your own verifier, simulating different claim shapes, or producing a token with a specific exp time without having to write code.

What's the difference between a JWT, a JWS, and a JWE?
A JWT (JSON Web Token) is a JSON payload wrapped in either a JWS (signed but not encrypted) or a JWE (encrypted). The vast majority of "JWTs" in the wild are JWS — three Base64URL segments separated by dots. This tool decodes and verifies JWS. JWE tokens are five segments and require the recipient's private key to decrypt; this tool detects them but does not decrypt.

How do I get an RSA public key in the right format?
The verifier accepts PEM-formatted public keys (starting with -----BEGIN PUBLIC KEY-----). If your IdP exposes a JWKS endpoint, fetch the key set, find the entry whose kid matches the JWT header's kid, and convert the n and e fields to PEM — a tool like jwk-to-pem on npm handles this. Pasting JWKS JSON directly is on the roadmap; for now the tool wants PEM.