JWTCheckDecode & audit JWTs — privately
Decode any JSON Web Token, read its claims in plain English, and audit it for security issues — 100% in your browser. Your token never leaves the tab.
🔒 Decoded entirely in this tab with your browser's own parser — the token is never sent anywhere. Don't paste a production token into any online decoder you don't trust.
Header algorithm & type
Payload claims
Signature
Claims, in plain English
Security audit
Verify signature (optional) — also 100% in your browser
JWTCheck never needs your key, but if you paste one it stays in this tab (Web Crypto). Use a shared secret for HS* algorithms or a PEM public key for RS*/ES*/PS*.
Why decode JWTs here?
A JSON Web Token is often a live session or bearer credential. Pasting one into a
random online decoder means handing a working token to a server you don't control — and not every
decoder promises it doesn't log. JWTCheck reads the token with your browser's own parser: there is no
upload, no request, no log. It also doesn't just decode — it audits the token for the
mistakes that actually cause incidents: alg: none, never-expiring tokens, and weak
algorithm choices.