The JWT workbench that never sees your tokens
Decode, verify, generate and lint JSON Web Tokens — every algorithm, one page each, entirely in your browser. Paste the real token; that's the point.
Every tool in the workbench
JWT Decoder
Read a token's header, payload and claims — including expired ones. Nothing is uploaded.
JWT Validator
Verify a signature against a secret, PEM, JWK or JWKS. Signature and expiry are judged separately.
JWT Generator
Mint a test token for any algorithm — including deliberately invalid ones, to test your rejection path.
JWT Secret Key Generator
Generate a cryptographically random HMAC secret at 256, 384 or 512 bits.
Why "don't paste real tokens" is the wrong advice
Every JWT tool carries some version of that warning, and they're right to — a token pasted into a page that ships it to a server is a credential handed to a stranger. But the warning is useless: the tokens you need to debug are the real ones, so it gets ignored, and real session tokens end up in strangers' logs. The fix isn't a sterner warning. It's a tool that doesn't need one — and that lets you verify the claim rather than trust it:
- No network requests. After load, nothing is sent — watch the Network tab while you paste. The one exception is a JWKS fetch you trigger by button, and even then the token is never part of the request.
- No storage. Nothing you paste touches localStorage, sessionStorage, IndexedDB or a cookie. Refresh, and it's gone.
- Readable source. A handful of TypeScript files calling WebCrypto. Go and check the claims above are true.
- Works offline. Load once, pull the plug, and every tool still works. A page that runs with the network unplugged can't be exfiltrating anything.
And it's the whole job in one place: every JOSE algorithm (HS, RS, PS, ES, EdDSA), keys as PEM, JWK, JWKS or raw secret, and the same security lint on every page — so you're not pasting one token into three tools that each do part of it.