"JWT Debugger & Token Inspector"

JWT tokens are everywhere — OAuth2, OpenID Connect, REST APIs, microservices. Yet debugging them usually means pasting into jwt.io and hoping for the best. Now there's a self-hosted alternative at /jwt.

What it does

Decode tab — paste any JWT and instantly see the colour-coded parts: pink header, green payload, blue signature. The claim inspector surfaces exp, iat, and nbf with human-readable timestamps ("expires in 3h", "issued 2d ago"). A security analysis panel flags common vulnerabilities automatically.

Security warnings — the tool checks for:

• alg:none — the classic attack where signature verification is disabled
• Expired tokens
• Missing exp claim (token lives forever)
• Not-yet-valid (nbf) tokens
• Missing iss / aud claims

Verify tab — test actual signature verification. Paste an HMAC secret for HS256/384/512, or a PEM public key for RS256/RS384/RS512/ES256/ES384/ES512.

Encode tab — build a token from scratch. Fill in header fields, payload key/value pairs (supports +3600 shorthand for relative timestamps), and a signing secret. Hit Sign and copy the result — or send it straight to the decoder.

Examples library — six pre-built tokens to learn from: a standard valid token, an expired one, the alg:none attack token, a no-expiry token, an RS256 example, and a token missing issuer/audience claims.

REST API

# Decode a token
GET /jwt/api/decode?token=eyJ...

# Verify HMAC signature
POST /jwt/api/verify-hmac
{"token":"eyJ...","secret":"your-secret"}

# Sign a new token
POST /jwt/api/encode
{"header":{"alg":"HS256","typ":"JWT"},"payload":{"sub":"123"},"secret":"key"}

URL sharing

Decoded results are shareable via ?t=<token> — link directly to a decoded view.

No accounts, no tracking, runs locally.