Decoding a JWT shows what's inside; verifying confirms the token is genuine and hasn't been tampered with. Paste your token and the signing secret (for HS256) or public key (for RS256) - we verify the signature locally in your browser using the Web Crypto API. Your secrets never leave your device.
When to use this
Use to: verify a token your backend generated still matches the secret, test signature verification before deploying changes to a JWT library, debug 'invalid signature' errors by isolating the verification step, validate tokens from third-party identity providers (Auth0, AWS Cognito, Firebase Auth).
Frequently Asked Questions
Is it safe to paste my JWT secret here?
Verification runs entirely in your browser using Web Crypto API. Nothing is sent over the network. That said - production secrets shouldn't be pasted into any web form (even ours) as a discipline. Use test / dev secrets here, or verify in your own code with the secret stored properly.
Does it support EdDSA / ES256?
HS256, HS384, HS512 (HMAC) and RS256, RS384, RS512 (RSA) are supported - the most common in production. EdDSA (Ed25519) and ES256 / ES384 (ECDSA) are not yet supported but planned. For now, verify those in your own code using node-jose or similar.
Powered by JWT Decoder.