JWT & JWE Decoder / Encoder — Secure, Local, and Privacy-First

Powerful in-browser tools for decoding, inspecting, and generating JSON Web Tokens. Ideal for debugging OAuth2, OpenID Connect, API gateways, and modern identity platforms — without ever sending sensitive tokens to a server.

  • 100% local execution for maximum privacy
  • Decode JWTs and preview JWE structures instantly
  • Generate HMAC, RSA, and ECDSA-signed tokens

Decode or Encode JWT Tokens

Paste an existing token to instantly inspect its header and payload, or enter data to generate a signed JWT with HMAC, RSA, or ECDSA algorithms in real-time for safe local testing and integration.

Frequently Asked Questions

Can this tool verify JWT signatures?

Yes, if you provide the correct secret or public key. Verification depends entirely on the key material you supply. Always rely on your backend or identity provider for final trust decisions.

Does the tool work offline?

Yes. Once loaded in your browser, all decoding, encoding, and verification logic works without an internet connection. You can even save the page locally for offline use.

Can I import JWK keys?

Yes. The tool supports JWK-formatted keys for HMAC, RSA, and EC algorithms. RSA and EC JWKs must include required parameters such as n/e or crv/x/y.

Can I decode tokens from Auth0, AWS Cognito, or Azure AD?

Yes. Any standards-compliant JWT can be decoded. For verification, you must supply the correct public key, often available from the provider’s JWKS endpoint.

Does the tool highlight token expiration and time-based claims?

Yes. Claims like exp, nbf, and iat are converted into human-readable timestamps to simplify debugging and validation.

Can the tool handle malformed or unusual Base64URL tokens?

Yes. The decoder normalizes Base64URL formatting and provides detailed error messages when a token is structurally invalid.

Is the “none” algorithm supported?

Yes, but only for safe testing. Never permit the “none” algorithm in production, as it creates unsigned and unverifiable tokens.

Are any keys or secrets ever saved?

No. All secrets and private keys remain only in memory in your browser. Closing or refreshing the page clears everything.

Can I export decoded token data?

Yes. You can copy or download the decoded header, payload, or full token structure. All exports remain fully local.

Does the tool support symmetric and asymmetric signature checking?

Yes. HMAC can be verified with shared secrets, and RSA/ECDSA with the correct public keys. Ensure EC keys use supported curves (e.g., P-256, P-384, P-521).