JWT Viewer & Verifier

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. It is commonly used for authentication, authorization, and information exchange. The token is digitally signed, which allows the receiver to verify its integrity and authenticity.

A JWT consists of three parts separated by dots (.): Header, Payload, and Signature. Each part is Base64url encoded. The header typically contains the token type (JWT) and the signing algorithm (alg). The payload holds the claims (e.g., user ID, expiration time). The signature is created by signing the encoded header and payload with a secret or private key.

Yes. The header and payload are only Base64url encoded, not encrypted. Anyone can decode them to view the contents. However, the signature cannot be verified without the corresponding secret (for HMAC algorithms) or public key (for RSA/ECDSA).

This tool supports all common algorithms: HS256, HS384, HS512 (HMAC with SHA-2), RS256, RS384, RS512 (RSA PKCS#1 v1.5), ES256, ES384, ES512 (ECDSA), and PS256, PS384, PS512 (RSA-PSS). The algorithm is automatically detected from the JWT header.

Absolutely. All decoding and verification take place entirely in your browser; no JWT or key data is ever transmitted to any server. You can even disconnect from the internet after the page loads and the tool will still work. Always make sure you use the official HTTPS version of the tool for maximum security.

It means the cryptographic signature attached to the JWT matches the signature computed from the header and payload using the key you provided. This confirms the token has not been tampered with and comes from a trusted source.

You need the PEM-formatted public key that corresponds to the private key used to sign the JWT. It usually starts with -----BEGIN PUBLIC KEY-----. Many identity providers (Auth0, Okta, Firebase) expose JWKS endpoints where you can obtain the correct key.