The JWT workbench that never sees your tokens
Decode, verify, generate and lint JSON Web Tokens — every algorithm, one page each, entirely in your browser. Paste the real token; that's the point.
Every tool in the workbench
JWT Decoder
Read a token's header, payload and claims — including expired ones. Nothing is uploaded.
JWT Validator
Verify a signature against a secret, PEM, JWK or JWKS. Signature and expiry are judged separately.
JWT Generator
Mint a test token for any algorithm — including deliberately invalid ones, to test your rejection path.
JWT Secret Key Generator
Generate a cryptographically random HMAC secret at 256, 384 or 512 bits.
Why "don't paste real tokens" is the wrong advice
Almost every JWT tool on the web carries some version of that warning, and they are right to — a token pasted into a page that posts it to a server is a credential you have handed to a stranger. But the warning is useless, because the tokens you need to debug are the real ones. Nobody opens a decoder to look at a token they made up.
So the warning gets ignored, and real session tokens end up in strangers' server logs. The answer is not a sterner warning. It is a tool that does not need one — and that lets you confirm it, rather than asking you to trust it.
Concretely, that means:
- No network requests. After the page loads, nothing is sent. Watch the Network tab while you paste. The one exception is fetching a JWKS from a URL you typed, on a button you clicked — and even then, the token itself is never part of the request.
- No storage. Nothing you paste touches localStorage, sessionStorage, IndexedDB or a cookie. Refresh, and it is gone.
- No third-party scripts near your inputs. Ads, when there are any, are sandboxed in iframes that cannot read the page. Analytics counts events, never content.
- Readable source. The whole thing is a handful of TypeScript files calling WebCrypto. Go and check that the claims above are true.
- Works offline. Load the site once, kill your connection, and every tool still works. A page that functions with the network unplugged cannot be exfiltrating anything.
Completeness, because the gaps are where the bugs are
The other reason this exists: most JWT tools do part of the job. One decodes but cannot verify. One supports RSA but not elliptic curve. One verifies but cannot show you why an expired token still has a perfectly good signature. So you end up using three of them, pasting the same token into each.
TokenBench supports the full JOSE algorithm set — HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512 and EdDSA — accepts keys as PEM, JWK, JWKS or raw secret, and runs the same security lint everywhere. If a token has alg:none, a well-known default secret, no expiry, or a lifetime measured in months, you will be told — whichever page you are on.