JWT Faker

Decode, verify (HMAC), and generate JSON Web Tokens (JWT) directly in your browser. Use the tabs below to analyze or create tokens.

Payload
Enter the JSON payload data.
Secret & Algorithm
Provide secret and choose HMAC algorithm.

Only HMAC supported initially. RSA/ECDSA require key pairs.

About JWT Faker

JSON Web Tokens carry claims between a client and a server in a compact, signed form — three Base64URL segments joined by dots: a header, a payload, and a signature. When you're debugging an auth flow, you constantly need to peek inside a token to see who it's for and when it expires, confirm a signature was produced with the right secret, or craft a test token with specific claims. This tool does all three without sending anything to a backend.

Paste a token to decode it and the header and payload are pulled apart and pretty-printed, with timestamps like exp and iat shown in a readable form. Supply the HMAC secret and the tool verifies whether the signature matches, so you can tell a valid token from a tampered or stale one. Switch to generate mode to build a token from scratch — set the claims you want and sign it with HS256/HS384/HS512 to produce test fixtures for your auth code.

Because the decoding, verification, and signing all run locally in your browser, real tokens and secrets never leave your machine. That's important: a JWT often contains live session claims, and its signing secret is a credential. Keeping the work client-side means you can debug production tokens without leaking them to a third-party server.

How to use JWT Faker

  1. Paste a token to decode

    Drop a JWT into the input and the tool splits and pretty-prints the header and payload, showing claims like exp and iat in readable form.

  2. Verify the signature

    Enter the HMAC secret used to sign the token. The tool recomputes the signature and tells you whether it matches — proving the token is authentic and unmodified.

  3. Generate a test token

    Switch to generate mode, set the claims you need, choose an HMAC algorithm (HS256/384/512), and provide a secret to sign a fresh token.

  4. Copy the result

    Copy the decoded claims or the newly generated token into your tests, API client, or auth debugging session.

Frequently asked questions