AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Decode and verify JWT token signatures. Supports HS256, RS256, ES256 and more.
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in web applications and APIs.
A JWT consists of three parts separated by dots: the Header (containing the algorithm and token type), the Payload (containing claims like user ID and expiration), and the Signature (used to verify that the token hasn't been tampered with). The signature is created by signing the encoded header and payload with a secret key or private key.
A JWT token has three base64url-encoded parts: Header, Payload, and Signature. The signature is computed by signing the header + payload with a key.
To verify:
Yes. All JWT decoding and signature verification is performed entirely in your browser using the Web Crypto API. Your keys never leave your device.
A valid signature confirms that the token was signed with the corresponding private/secret key and that the header and payload have not been tampered with since signing.
For HMAC algorithms (HS256/384/512), you need the same shared secret used to sign. For RSA (RS256/384/512) and ECDSA (ES256/384/512), you need the public key in PEM format.
You can decode the header and payload without a key (select the "algorithm none" tokens are flagged). But signature verification always requires the appropriate key.
Generate signed JWT tokens online
Decode and validate JWT tokens
Encrypt/decrypt with AES-256
Generate RSA key pairs in PEM format
Generate HMAC signatures
Test password strength and entropy
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026