JWT Tools — Decode, Verify & Sign

What is JWT Tools — Decode, Verify & Sign?

JWT Tools is a free, all-in-one JSON Web Token utility that combines a decoder, a signature verifier, and an HS signer in one place. In Decode mode it base64url-decodes a header.payload.signature token and pretty-prints the header and payload as formatted JSON. In Verify mode it reads the alg from the token header and checks the signature with the Web Crypto API: an HMAC shared secret for HS256, HS384 and HS512, or a PEM-encoded public key for RS256/RS384/RS512 (RSASSA-PKCS1-v1_5) and ES256/ES384/ES512 (ECDSA). In Sign mode it builds and HMAC-signs a brand-new token from a header JSON, a payload JSON, a chosen HS algorithm and a secret. It is built for backend and frontend engineers, QA testers, and API integrators who debug authentication, OAuth/OIDC sessions, and token expiry without pasting secrets into a remote service.

How to use JWT Tools — Decode, Verify & Sign

1. Pick a mode at the top: Decode, Verify, or Sign.
2. Decode: paste a JWT (header.payload.signature) into the token box and read the pretty-printed Header and Payload below — no signature check is performed here.
3. Verify: paste the token, then paste the HMAC secret (for HS algorithms) or the PEM public key (for RS/ES) into the key box; the tool reads the alg from the header and shows a green 'valid' or red 'invalid' result.
4. Sign: enter a header JSON and a payload JSON, choose HS256, HS384 or HS512, type your secret, and copy the freshly signed token that appears.
5. Use the Copy button on any output, or Clear to reset the decode input.

Examples

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.sig

Header:
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload:
{
  "sub": "1234"
}

token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.<sig>
secret: your-256-bit-secret

valid (HS256)

header: {}
payload: { "sub": "1234567890", "name": "Jane Doe" }
secret: your-256-bit-secret

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIn0.<signature>

Frequently asked questions

Are my tokens, secrets, and keys uploaded anywhere?

No. Every mode runs fully client-side in your browser using the built-in Web Crypto API (crypto.subtle) for HMAC and signature verification, plus base64url and JSON in JavaScript. Nothing — not the token, the secret, nor the PEM key — is ever sent to any server, which makes it safe to work with production credentials.

Which algorithms can it verify?

Verify supports HS256, HS384 and HS512 with a shared HMAC secret, and RS256/RS384/RS512 (RSASSA-PKCS1-v1_5) and ES256/ES384/ES512 (ECDSA) with a PEM-encoded public key. It reads the alg field from the token header automatically, so you only supply the matching secret or public key.

Which algorithms can it sign with?

Sign mode mints HMAC-signed tokens only — HS256, HS384 or HS512 — from your header JSON, payload JSON and a secret. RSA and ECDSA signing need a private key and are out of scope here; for RS/ES you can still verify with the matching public key in Verify mode.

Does Decode mode check the signature?

No. Decode only base64url-decodes and pretty-prints the header and payload — it never validates the signature. Switch to Verify mode and supply a secret or public key to confirm a token is authentic, and never trust a decoded payload until its signature is verified.

Why does verification say invalid or error?

'Invalid' means the signature did not match the secret or key you supplied. An 'error' instead means the input could not be processed — for example the token is missing its signature segment, the alg is unsupported, or the PEM public key could not be parsed. Check that you pasted the full token and the correct key for its algorithm.