tokenbench

The JWT workbench that never sees your tokens

Decode, verify, generate and lint JSON Web Tokens — every algorithm, one page each, entirely in your browser. Paste the real token; that's the point.

Runs entirely in your browser.Open devtools → Network. Paste a token. Nothing is sent.Read the source · What we measure
Decoding happens on this page. Nothing is sent anywhere.

Every tool in the workbench

Why "don't paste real tokens" is the wrong advice

Every JWT tool carries some version of that warning, and they're right to — a token pasted into a page that ships it to a server is a credential handed to a stranger. But the warning is useless: the tokens you need to debug are the real ones, so it gets ignored, and real session tokens end up in strangers' logs. The fix isn't a sterner warning. It's a tool that doesn't need one — and that lets you verify the claim rather than trust it:

And it's the whole job in one place: every JOSE algorithm (HS, RS, PS, ES, EdDSA), keys as PEM, JWK, JWKS or raw secret, and the same security lint on every page — so you're not pasting one token into three tools that each do part of it.