DevDeck

JWT Toolkit โ€” Decode & Generate JSON Web Tokens Online

JWT Toolkit is a complete JWT workbench. Decode any token to inspect its claims, and generate cryptographically signed JWTs using five algorithm families โ€” all in-browser with zero server calls.

What is a JWT?

A JSON Web Token is a compact, URL-safe token used for authentication and authorization. It has three dot-separated parts: Header (algorithm + type), Payload (claims like user ID and expiry), and Signature (cryptographic proof). Format: `xxxxx.yyyyy.zzzzz`

Decode: Inspect Any JWT

Paste any JWT into the Decode tab and the toolkit instantly splits, Base64URL-decodes, and formats all three sections. The `exp` claim is shown as a human-readable date with an expiry countdown. Expired tokens are highlighted. All 18 standard JWT claim names are documented inline.

Generate: Sign Tokens In-Browser

The Generate tab lets you create real, cryptographically signed JWTs. Choose your algorithm, edit the header and payload JSON, provide a secret or key, and a live token is produced with a 300ms debounce. Use 'Test in Decoder' to immediately verify what you just signed.

Supported Algorithms

  • HMAC โ€” HS256, HS384, HS512 (shared secret, Base64 or plain text)
  • RSA โ€” RS256, RS384, RS512 (RSASSA-PKCS1-v1_5, PEM private key)
  • RSA-PSS โ€” PS256, PS384, PS512 (probabilistic signature scheme)
  • ECDSA โ€” ES256 (P-256), ES384 (P-384), ES512 (P-521)
  • EdDSA โ€” Ed25519 (fast, modern elliptic curve)

Key Pair Generation

For asymmetric algorithms (RSA, RSA-PSS, ECDSA, EdDSA), click 'Generate Key Pair' to create a browser-native cryptographic key pair via the Web Crypto API. The private key is used for signing and the public key is shown with a copy button โ€” ready to paste into your verification config.

Example: Debug an Expired Session

A user reports being logged out unexpectedly. Grab their JWT from DevTools โ†’ Network โ†’ Authorization header. Paste it into the Decode tab: the `exp` claim shows the token expired 2 hours ago. Confirmed โ€” not a bug, just an expired session.

Tips

  • Never paste production JWTs into external tools โ€” this toolkit is 100% local
  • The 'exp' claim is a Unix timestamp โ€” the toolkit converts it to a readable date automatically
  • Algorithm change resets the key pair and syncs the header's `alg` field
  • Use EdDSA (Ed25519) for new systems โ€” it's faster and more secure than RSA
  • Use JWT for stateless auth, not for storing sensitive data in the payload

Ready to try it?

Related Tools

Hash Generator

Cryptographic hashes are one-way fingerprints of data. Use them to verify file iโ€ฆ

JSON Viewer & Formatter

Raw JSON from APIs is often a single unreadable line. JSON Viewer formats it insโ€ฆ

Base64 Text Encoder & Decoder

Base64 text encoding converts any string into a safe ASCII representation. It's โ€ฆ

Frequently Asked Questions

Yes, completely free.

No. All decoding and signing happens locally in your browser. Nothing is ever sent to a server.

Yes. In the Decode tab, provide your secret (HMAC) or public key PEM (RSA/ECDSA/EdDSA) and the signature is verified in-browser using the Web Crypto API.

HS256/384/512 (HMAC), RS256/384/512 (RSA), PS256/384/512 (RSA-PSS), ES256/384/512 (ECDSA), and Ed25519 (EdDSA).

DevDeck ยฉ 2023 - 2026

100% client-side โ€ข No data leaves your browser
Guides:JSON ViewerยทBase64 GuideยทRegex GuideยทJWT DecodedยทPassword Security
JWT Toolkit โ€” Decode & Generate JSON Web Tokens | DevDeck