JWT Tester and Editor

Decode, verify, modify, and edit JSON Web Tokens (JWT) with support for multiple algorithms

About JWT Tester and Editor

Overview

JWT Tester and Editor is a comprehensive tool for working with JSON Web Tokens (JWT). It allows you to decode JWTs to inspect their contents, modify claims in the payload, verify signatures, and generate new signed tokens. This tool supports all major JWT algorithms including HMAC, RSA, and ECDSA variants. All operations are performed locally in your browser, ensuring your tokens and secrets remain completely private and secure.

Features

  • Decode JWT tokens to view header, payload, and signature
  • Modify and edit JWT claims with JSON editor
  • Verify token signatures with secret or public keys
  • Sign and generate new JWT tokens
  • Support for all major algorithms: HS256/384/512, RS256/384/512, ES256/384/512
  • Display token expiration and validity status
  • Copy header, payload, or entire token with one click
  • Completely browser-based with no server communication
  • Sample JWT included for testing
  • Real-time JSON validation for edited content

How to Use

  1. Paste your JWT token into the input field
  2. Click "DECODE JWT" to view the decoded header and payload
  3. Enable "Edit Mode" to modify the header or payload JSON
  4. Enter your secret key or public/private key for verification or signing
  5. Click "Verify Signature" to check token authenticity
  6. Click "SIGN & GENERATE NEW JWT" to create a new token with your modifications

FAQ

What is a JWT and why is it used?

A JWT (JSON Web Token) is a compact, self-contained way to securely transmit information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in web applications. They are digitally signed, so the information can be verified and trusted. JWTs are stateless, meaning the server does not need to store session data.

Is JWT encryption secure?

JWTs are signed, not encrypted by default. The signature ensures integrity and authenticity but does not hide the content. Anyone can decode and read the header and payload. Never store sensitive information like passwords in JWT claims. For confidential data, use JWE (JSON Web Encryption) which encrypts the token content.

Which algorithm should I choose?

For simple applications with trusted environments, use HS256 (HMAC with SHA-256). For distributed systems where the signing key must remain secret but verification is public, use RS256 (RSA with SHA-256). For maximum efficiency with strong security, use ES256 (ECDSA with SHA-256). Always use at least SHA-256 variants.

How do I verify a JWT token?

To verify a JWT, decode the token, then re-compute the signature using the header, payload, and the secret key or public key with the same algorithm specified in the header. If the computed signature matches the signature in the token, the token is authentic and has not been tampered with. Also check expiration claims.

What happens if my JWT secret is compromised?

If your secret key is compromised, attackers can create valid tokens and impersonate users. Immediately rotate the secret key, invalidate existing tokens, and force users to re-authenticate. For critical systems, use asymmetric algorithms like RS256 where the private signing key stays secure and only public keys are distributed for verification.

Can I modify a JWT token?

You can modify the header and payload, but the signature will become invalid. After modification, you must re-sign the token with the correct secret or private key. This tool allows you to edit claims and generate a new properly signed token. Without the signing key, you cannot create valid tokens.