Online JWT Inspector for decoding, verifying, and signing tokens

JWT InspectorInspect token

Inspect tokenSign token

Input

Load exampleClear

Verification secret / key

HMAC algorithms use a shared secret. RSA, PS, ES, and EdDSA use PEM or JWK key material.

• Authorization is the most common use case. After login, the client sends the token on later requests so the server can authorize access without re-checking credentials on every call.
• Information exchange is another fit. Signed tokens let two parties share structured claims while still being able to verify that the content was not changed in transit.
• For HMAC-signed tokens, the same shared secret is used to sign and verify. For RSA, PS, ECDSA, or EdDSA tokens, the private key signs and the public key verifies.
• JWTs are compact and easy to pass in HTTP headers, forms, or query flows, but they should not be treated as encrypted storage for private information.

1. 1

   Paste an existing JWT into Inspect mode. It will decode immediately, and you can add matching key material later if you want to verify the signature.

2. 2

   Review the decoded header, payload, signature, and claim summary on the right-hand side.

3. 3

   Switch to Sign mode when you want to generate a token from editable header and payload JSON.

4. 4

   Choose an algorithm and paste the matching secret, public key, private key, or JWK to regenerate the token instantly.

5. 5

   Copy the resulting token and use it in your API, auth flow, or test fixture.

• Use Inspect mode when you receive a token and need to understand its claims, expiry, or signature status.
• Use Sign mode when you need a fresh JWT for testing, demos, or local integration work.
• Use HS256, HS384, or HS512 when you have a shared secret. Use RSA, PS, ECDSA, or EdDSA when you have PEM or JWK key material. If you are only decoding a token, no key is required.
• Treat the decoded payload as visible data. JWTs are signed, not encrypted, unless you are working with JWE.

When a decoded header or payload is hard to read, validate the JSON in JSON Formatter before copying it back into Sign mode. If you need to inspect an individual Base64URL segment outside the token, Base64 Encode & Decode helps with encoding and decoding experiments. For non-JWT API signatures, webhook signing, or checking an HMAC digest separately, use HMAC Generator ; and when a local HS256 test token needs a disposable shared secret, generate one with Password Generator instead of reusing real credentials.

• Do not trust a JWT until its signature has been verified with the correct secret or public key.
• JWTs are signed, not encrypted. Never assume the payload is private just because it is encoded.
• Keep secrets and private keys local. Do not paste production credentials into shared environments or screenshots.
• Match the algorithm to the key type. A token signed with HS256 will not verify with HS512, and RSA keys cannot verify HMAC tokens.
• Watch `exp`, `iat`, and `nbf` values carefully when debugging time-sensitive authentication issues.

• This page handles compact signed JWTs and uses jose for HMAC, RSA, PS, ECDSA, and EdDSA workflows.
• Encrypted JWTs, also known as JWE, are outside the scope of this tool.
• Malformed JSON in the header or payload will prevent signing until the content is fixed.
• Very large payloads can make the editor harder to read, although processing still happens locally.
• This tool is designed for inspection, verification, and test token generation, not secret management.