Free JWT Decoder & Verifier

Questions and answers

Is my token sent anywhere?

No. Decoding and verification run entirely in your browser via the Web Crypto API. The page makes zero network requests after load. The one exception: if you paste a JWKS URL, your browser fetches that URL directly; we never see it. Open your DevTools network tab and try.

What is the difference between decoding and verifying?

Decoding just base64url-unpacks the header and payload, which anyone can read. Verifying checks the signature against a key to prove the token was not tampered with and came from who it claims.

Which algorithms can you verify?

HMAC (HS256/384/512), RSA (RS256/384/512), RSA-PSS (PS256/384/512), and ECDSA (ES256/384/512). EdDSA and JWE decryption are not supported yet.

What is a JWKS URL?

A JSON Web Key Set is the public-key endpoint an OpenID Connect provider publishes, for example /.well-known/jwks.json. Paste the URL and we fetch it and auto-pick the key matching your token kid. If the endpoint blocks cross-origin requests, paste the JWKS JSON instead.

Why does it warn about "alg: none"?

A JWT with alg none has no signature, so anyone can forge it. Most libraries reject it by default. We flag it so you do not trust an unsigned token by accident.

Do you support creating or signing JWTs?

Not in v1; this is a decoder and verifier. Signing is on the roadmap.