How is the signature verified locally?

Signature verification uses the browser's built-in SubtleCrypto Web API. For HMAC (HS256/384/512), the secret is used locally to recompute the HMAC. For RSA/EC, the public key PEM is imported and used for local verification. No external library is loaded.

Is it safe to paste a real JWT token here?

The decoder is 100% local — no data is uploaded. For extra caution with production tokens, verify the tool is running from https://flowfiles.app (check for HTTPS) and avoid using shared or public computers.

What is the difference between this and jwt.io?

Both tools decode JWTs in the browser. This tool focuses on privacy (explicit no-upload guarantee), supports time travel for expiration testing, provides per-claim colored badges, and does not require any sign-in or account.

Flowfiles ← JWT Decoder

JWT Decoder Without Upload

Q: Does this JWT decoder send data to a server?

No. The tool is built with vanilla JavaScript and runs entirely in your browser. Tokens, secrets, and PEM keys never leave your device. There is no backend, no logging, and no network request.

100% local JWT decode, verify & build — no server · no logs · no account · SubtleCrypto

Decode, verify, and build JWT tokens entirely in your browser. No data is sent to any server. HMAC secrets and PEM keys are only used locally via the browser's built-in SubtleCrypto API. No sign-in required.

Decode your JWT — nothing leaves your browser

Open the JWT Decoder →

Why local processing matters

JWT tokens can contain sensitive information: user identities, permissions, session data. When you paste a token into an online tool, you are trusting the server that receives it. This tool uses no server:

Decoding is done in JavaScript with standard atob() and JSON parsing
HMAC verification uses SubtleCrypto.verify() — no HMAC secret leaves the browser
RSA/EC verification imports the public key locally via SubtleCrypto.importKey()
No analytics scripts read the JWT textarea content
Cloudflare Pages serves only static files — there is no backend

Frequently asked questions

Does this JWT decoder send data to a server?

No. The tool is pure JavaScript running in your browser. Tokens, HMAC secrets, and PEM keys are processed locally only. The page is served as a static file from Cloudflare Pages — there is no backend to receive data.

How is signature verification done locally?

The browser's built-in SubtleCrypto Web Crypto API handles all cryptographic operations. For HS256, the secret and the header+payload bytes are used to compute HMAC-SHA256 locally. For RS256/ES256, the PEM key is imported via importKey() and verify() is called in-browser.

Can I use this with production tokens?

Yes — the tool never uploads anything. As general best practice, avoid pasting long-lived production tokens in shared environments, and always verify you are on https://flowfiles.app.

Does this tool work offline?

Once the page is loaded, decoding and verification work without any network connection. The only network request is the initial page load — fonts are loaded lazily and do not block the tool.

Related tools

Full JWT Decoder Decode a JWT Verify JWT Signature Free JWT Tool Base64 Encoder