Are my tokens sent to a server?

No. JWTScope uses the browser's built-in JavaScript engine to decode and verify tokens entirely in your local RAM. No data ever leaves your device.

Can I verify RS256/RSA signatures?

Yes. You can paste your public key to verify asymmetric signatures (RSA/ECDSA) directly in the tool.

What is the security score?

JWTScope analyzes your token for common vulnerabilities like weak algorithms (HS256), missing expirations, or unmasked sensitive claims, and provides an overall risk assessment.

JWTScope Documentation

JWTScope is a high-security JSON Web Token (JWT) analyzer. It focuses on local-first processing to ensure tokens containing PII or sensitive API scopes are never exposed to third-party servers. Open JWTScope.

Privacy & Security

JWTs often contain sensitive identity data. Most online decoders send your tokens to their backends for parsing. JWTScope is different:

Local-Only Decoding: Uses base64UrlDecode logic directly in your browser.
Zero Tracking: No logging of secrets or tokens. Verification happens entirely in your local JavaScript environment.
Safe Sharing: Use the "Export Sanitized" feature to share token structures with your team without exposing the actual sensitive values.

Decoding & Claims Inspection

JWTScope breaks the token into its three standard components:

Header: Metadata about the token (algorithm, type).
Payload: The data (claims) stored in the token.
Signature: The cryptographic proof of authenticity.

Standard claims like exp (expiration), iat (issued at), and iss (issuer) are automatically translated into human-readable timestamps and labels.

Signature Verification

To verify if a token is authentic, use the Verification Section:

HMAC (HS256/384/512): Paste your shared secret.
RSA/ECDSA (RS256/ES256): Paste the Public Key (usually as a PEM string) to verify the asymmetric signature.

Security Auditing

The tool performs a real-time security audit on your token, flagging risks such as:

None Algorithm: Tokens using alg: none are flagged as critical risks.
Short Expiration: Warns if the exp claim is missing or set too far in the future.
Weak HMAC: Flags short or easily guessable secrets if verification fails.
Sensitive Data: Identifies if common PII (email, phone) is stored unmasked in the claims.

Frequently Asked Questions

Can I compare two tokens?
Yes. Use the "Compare Tokens" button to view a side-by-side diff of two JWTs to see which claims or scopes have changed between them.

What is the maximum token size?
Since it's local-first, the limit is based on your browser's memory. In practice, tokens up to several megabytes (rare) are handled instantly.

Stop compromising your tokens

Use JWTScope for private, local-first token analysis and security auditing.

Launch JWTScope