About JWTCheck

What it does

Paste a JSON Web Token and JWTCheck splits it, base64url-decodes the header and payload, and shows them with syntax highlighting. It renders the registered claims in plain English — turning exp, iat and nbf into real dates and relative times, and labelling iss, aud and sub. Then it audits the token for the mistakes that cause real incidents: alg: none (unsigned, forgeable), symmetric vs asymmetric algorithm choice, expired or never-expiring tokens, and missing issuer or audience claims.

Privacy by construction

A JWT is frequently a live session or bearer credential. Pasting one into an online decoder hands a working token to a server you don't control. JWTCheck never does that: the token is decoded with your browser's own parser — no upload, no request, no log. Open your Network tab and confirm it.

Signature verification stays local too

Verification is optional and also runs in your browser, using the built-in Web Crypto API. Paste a shared secret (for HS256/384/512) or a PEM public key (for RS*/ES*/PS*) and JWTCheck checks the signature without the key — or the token — ever leaving the tab.

Not a substitute for server-side validation

JWTCheck is an inspection and learning tool. Your application must still validate tokens server-side on every request — signature, expiry, issuer and audience — with a maintained library. Never trust a token just because it decoded.

Made by Copper Bay Labs

One of a family of free, no-signup developer tools. See more at Copper Bay Labs. Want your authentication reviewed? Copper Bay Tech can help.