Offline JWT Debugger & Generator

Decoder / Verifier

JWT (compact)

Ctrl/Cmd+1

Paste or drop a .txt. JWE (5-part) will be detected (not supported).

Header

{}

Payload

{}

Signature

(none)

Claim	Value	Interpretation	Result

Key & Verification

Algorithm

kid (optional, for JWK selection)

HMAC secret

Length: 0 bits

Show

Public key (PEM SPKI or JWK)

Private key (PKCS#8 or JWK) — optional for signing

JWK/JWKS (auto-select by kid)

Key info: —

Validation

Reject alg=none Allow alg=none (danger)

Now (auto or custom)

Auto now

Clock skew ± seconds

Required aud (comma)

Required iss

Required sub

Treat iss/sub as regex

Notes

Security note: All processing happens locally in your browser. Never paste secrets you don’t trust this device with.

How it works

This page uses the Web Crypto API for hashing, HMAC, RSA, ECDSA, and Ed25519 when available. A compact, inlined Ed25519 fallback is provided and activated only if the browser lacks built-in Ed25519 support and the fallback self-test passes.

Heavy operations can run in a Web Worker to keep the UI responsive. No network calls are made; JWKS can be pasted as JSON.

JWT basics

JWTs are signed objects: header.payload.signature with Base64URL encoding. This tool supports JWS (signatures) and not JWE (encryption). Claims like exp/nbf/iat are NumericDate (seconds since epoch).

Key formats cheat sheet

RSA/ECDSA: Public key as PEM SubjectPublicKeyInfo (BEGIN PUBLIC KEY), Private key as PKCS#8 (BEGIN PRIVATE KEY).
Ed25519: Public key as JWK OKP(kty="OKP", crv="Ed25519") or PEM SPKI; private as PKCS#8 or JWK.
JWK/JWKS: Paste a single JWK or a JSON with {"keys": [...]}. kid is used for selection if present.