EncryptCodecencryptcodec
Tools/JWT Debugger

JWT Debugger

Decode, edit, re-sign, and verify JSON Web Tokens. Edit the header or payload, provide an HMAC secret, and re-sign the token — all in your browser using the Web Crypto API.

All processing happens in your browser — nothing is sent to our servers

How JWT Signature Verification Works

A JWT has three Base64url-encoded parts: header, payload, and signature. For HMAC algorithms (HS256/HS384/HS512), the signature is computed as HMAC(header.payload, secret). Verification re-computes the HMAC with the same secret and compares it to the token's signature. If they match, the token has not been tampered with. Editing the header or payload invalidates the original signature — you must re-sign with a valid secret to produce a new valid token.

How it works
JWT Editing, Signing, and Verification
01Decode

JWT split at dots — header and payload Base64url-decoded to reveal JSON, signature kept as raw bytes

02Edit

Header and payload JSON editable in real-time — changes reflected immediately in the re-encoded JWT

03Sign

Modified header.payload signed with HMAC-SHA256/384/512 using the provided secret via Web Crypto API

04Verify

Signature verified by re-computing HMAC with the same secret and comparing — timing-safe comparison in Web Crypto

05Compare

Original and modified JWTs shown side by side — differences in claims, timestamps, and signatures highlighted

Spec: RFC 7519 (JWT), RFC 7515 (JWS), RFC 2104 (HMAC), Web Crypto API

This tool only supports HMAC algorithms (HS256/384/512) which use a shared secret. RSA (RS256) and EC (ES256) algorithms require asymmetric key pairs — use the JWT Signer tool for those.

Frequently Asked Questions