Debug JWT

🔒 Your data never leaves your browser — all processing happens locally.

JWT Token

Verification Method ?

Choose how to supply the key for signature verification.

PEM / Secret: paste a PEM public key, X.509 certificate, or HMAC shared secret directly.

JWKS URL: provide the issuer's JWKS endpoint and the server will fetch the matching key by kid.

PEM Key / Secret JWKS URL

Verification Key or Secret ?

For asymmetric algorithms (RS256, ES256, PS256…) paste a PEM public key or X.509 certificate.

For symmetric algorithms (HS256, HS384, HS512) paste the plain shared secret string.

Allowed Algorithms (optional) ?

Comma-separated list of accepted algorithms. Prevents algorithm-confusion attacks — e.g. if you expect RS256, pass RS256 so an attacker cannot swap it to HS256 using your public key as a secret.

Paste a JWT token on the left to see the decoded header, payload and claims.

Sign & Generate JWT

Payload (JSON)

Algorithm

Expires In (optional)

Number = seconds. String: 1h, 7d, 30m, 1y…

Issuer (iss) — optional

Subject (sub) — optional ?

Sets the sub claim. If sub is also in the payload JSON, this field takes precedence.

Private Key (PEM)

RSA/EC PEM private key for RS256.

Extra Header Fields (optional JSON) ?

Merged into the JWT header alongside alg and typ. Use to add kid, x5t, jku etc.
Example: {"kid": "key-2024-01"}

Omit iat (issued-at timestamp)