jarvisbox

JWT デコード&検証ツール

JWTをブラウザでデコードして署名を検証。Header・Payload・標準クレームを確認。HMAC・RSA・ECDSA対応。完全プライベート。

100% client-side · no upload · SubtleCrypto verified

How to use

  1. Paste any JWT token into the input field — the header, payload, and standard claims decode instantly.
  2. Review the color-coded sections: the header shows the algorithm and token type; the payload shows all claims including issuer, subject, and expiry.
  3. To verify the signature, paste your HMAC shared secret or PEM-encoded RSA/ECDSA public key into the verification field and click Verify Signature.

Related use cases

Related developer tools

よくある質問

Does my JWT leave my browser?
No. The entire decoding and verification process runs in your browser using the built-in Web Crypto API (SubtleCrypto). Your token, secret, or key is never sent to any server.
Can this tool verify JWT signatures?
Yes. For HMAC tokens (HS256, HS384, HS512) enter your shared secret. For RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512) tokens paste the PEM-encoded public key. The browser's SubtleCrypto API performs the cryptographic check entirely client-side.
What does the exp claim mean and does the tool check it?
exp is the "expiration time" — a Unix timestamp (seconds since epoch) after which the token must not be accepted. This tool highlights expired tokens in red and shows a human-readable relative time so you can spot stale tokens at a glance.
What algorithms are supported?
Decoding works for any JWT. Signature verification supports HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA PKCS#1 v1.5), and ES256, ES384, ES512 (ECDSA). The algorithm is read automatically from the JWT header.
Why should I use this instead of jwt.io?
jwt.io sends your token to their servers for decoding. This tool is 100% client-side — nothing ever leaves your device. It is safe to use with production tokens, API keys embedded in JWTs, or tokens containing PII.

Last updated:

このツールの問題を報告