Decode, verify, sign, and assess JSON Web Tokens locally in your browser.
This client-side JWT verifier decodes token contents, validates signatures when you provide the expected key, and highlights implementation risks commonly tested during JWT security reviews.
Signature and algorithm issues, including unsigned tokens, algorithm confusion indicators, weak HMAC secrets, and suspicious ECDSA signatures.
Claim quality issues, including missing or expired expiry, future not-before values, long-lived tokens, missing issuer, missing audience, and privileged claims.
Header trust issues, including attacker-controlled key references such as `kid`, `jku`, `x5u`, and embedded `jwk` values.
Information exposure patterns, including secrets, passwords, API keys, tokens, and personally identifiable data in the readable payload.
The token and key material stay in your browser. Do not paste production secrets into third-party tools unless you understand and accept the risk.