JWT Toolkit — Decode, Verify & Sign in the Browser

JWT Toolkit — Decode, Verify & Sign in the Browser

Paste a token to decode the header and payload, check standard time claims, and copy segments. Use the Validate tab to confirm a signature against a shared secret or an RSA/EC public key in PEM form. Use Sign to build a new JWT from JSON claims and your key material—handy for API testing and learning how tokens are structured.

For pretty-printing raw JSON bodies, use the JSON Formatter. For string pattern work outside JWT claims, try the Regex Tester. More helpers live on the tools directory.

What developers use this for

• Debugging — read `exp`, `iat`, `nbf`, `iss`, `aud` without round-tripping to a server
• Integration tests — mint short-lived tokens that match your auth service’s algorithm and claims
• Key rotation — verify against a public key or JWKS endpoint before deploying new keys
• Learning — see how changing claims or the signing key affects the token string

Security notes

Processing uses the Web Crypto stack via the `jose` library in your tab. Nothing is sent to Onlikit servers for these operations. Still treat signing keys and live tokens as sensitive: avoid screen-sharing private keys, and do not rely on this page for production issuance—use your identity provider’s documented flows for real environments.

Limits

Algorithm support and error messages follow what the browser and library expose. If verification fails, double-check PEM formatting, the correct public key for the `kid`, and clock skew on `exp` / `nbf` claims.