tokenbench

The JWT workbench that never sees your tokens

Decode, verify, generate and lint JSON Web Tokens — every algorithm, one page each, entirely in your browser. Paste the real token; that's the point.

Runs entirely in your browser. Open devtools → Network. Paste a token. Nothing is sent. Read the source · What we measure
Decoding happens on this page. Nothing is sent anywhere.

Every tool in the workbench

Why "don't paste real tokens" is the wrong advice

Almost every JWT tool on the web carries some version of that warning, and they are right to — a token pasted into a page that posts it to a server is a credential you have handed to a stranger. But the warning is useless, because the tokens you need to debug are the real ones. Nobody opens a decoder to look at a token they made up.

So the warning gets ignored, and real session tokens end up in strangers' server logs. The answer is not a sterner warning. It is a tool that does not need one — and that lets you confirm it, rather than asking you to trust it.

Concretely, that means:

Completeness, because the gaps are where the bugs are

The other reason this exists: most JWT tools do part of the job. One decodes but cannot verify. One supports RSA but not elliptic curve. One verifies but cannot show you why an expired token still has a perfectly good signature. So you end up using three of them, pasting the same token into each.

TokenBench supports the full JOSE algorithm set — HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512 and EdDSA — accepts keys as PEM, JWK, JWKS or raw secret, and runs the same security lint everywhere. If a token has alg:none, a well-known default secret, no expiry, or a lifetime measured in months, you will be told — whichever page you are on.