JWT Signer & Verifier

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to transport claims between two parties. It consists of three Base64URL-encoded parts joined by dots: a header that names the algorithm, a payload of arbitrary JSON claims, and a signature computed over header.payload with a key. The receiver re-computes the signature and rejects the token if it does not match. JWTs are popular for stateless authentication because servers do not need to remember sessions — every request carries its own proof. The flip side is that you cannot revoke a token once issued without an extra revocation list, and any leaked secret or key compromises every token signed with it. This tool runs entirely on your device — your secrets, signing keys, and tokens never leave the page, never travel to our servers, and are not stored, indexed, logged, or shared. That privacy guarantee matters because a single keystroke leak of a JWT signing secret can compromise every user account it issues tokens for.

How to use the signer/verifier

Pick the algorithm that matches your environment, paste the header and payload (or use the defaults as a template), then click Sign. For RS256 and ES256 you can generate a fresh keypair on the page; for HS256 you supply a shared secret. To verify, switch to verify mode, paste the token and the matching secret or public key, then click Verify. The decoded payload appears in the verdict box on success.

Practical tips and gotchas

Always set exp (expiry) on production tokens. Never accept the algorithm advertised in the header without an allow-list — the classic alg=none attack exploits servers that trust the header. Rotate signing keys periodically, store private keys in a HSM or secrets manager, and treat HMAC secrets like passwords. For browsers and mobile apps, prefer short-lived JWTs paired with refresh tokens stored in HttpOnly cookies.

Supported algorithms

Frequently asked questions