About JWT Viz

JWT Viz is a privacy-first, client-side JSON Web Token visualizer built for developers, security engineers, and DevOps teams who need to inspect, debug, and validate JWTs without compromising sensitive data. Unlike online JWT tools that send tokens to remote servers, JWT Viz runs 100% in your browser, ensuring zero data transmission, no logging, and complete isolation of your tokens.

Designed with modern web standards and performance in mind, JWT Viz leverages SvelteKit and the Web Crypto API to deliver a fast, responsive, and offline-capable experience. Whether you're analyzing authentication flows, auditing third-party tokens, or teaching JWT concepts, this tool transforms complex, nested claims into an interactive, searchable tree structure—making debugging intuitive and efficient.

The core philosophy behind JWT Viz is transparency and control. Every operation—from Base64 decoding to signature verification—happens locally using standards-compliant JavaScript. You can paste tokens from logs, upload them via drag-and-drop, or even install the app as a Progressive Web App (PWA) for instant access on desktop or mobile, even without an internet connection.

Key features include:

• Dual-panel tree view of header and payload with expand/collapse and search
• Real-time syntax-highlighted JSON and encoded segment display
• Client-side signature verification for HS256 and RS256 using public keys or secrets
• Export options: Copy JSON, download decoded object, or capture PNG screenshots
• Standard claim highlighting (e.g., exp, iss) with expiration warnings

Built as a static site, JWT Viz generates a single index.html with bundled assets—making it ideal for internal tools, documentation, or secure environments. Host it on any static file server, share via USB, or embed in Confluence. No backend, no database, no risk.

JWT Viz is open source under the MIT License and actively maintained on GitHub. Contributions are welcome—from bug reports to new visualization ideas. Our goal is to make JWT inspection accessible, secure, and educational for everyone in the web security ecosystem.

Because understanding a token shouldn’t require trusting a third party.

How to Use JWT Viz

Getting started with JWT Viz is simple and requires no installation. Follow these steps to inspect and verify any JWT in seconds:

1. Input Your Token

Paste a JWT into the large text area at the top, or drag and drop a .txt or .jwt file directly onto the input box. The tool instantly parses the token and displays any errors (e.g., malformed format, invalid Base64).

2. Explore the Tree View

Once decoded, the header and payload appear side-by-side in interactive tree panels. Click any node to expand or collapse nested objects. Use the search bar to filter claims by key or value—perfect for finding role, scope, or custom fields in large tokens.

Standard claims like iss, sub, exp, and iat are highlighted in bold blue. Expiration (exp) and not-before (nbf) timestamps are color-coded: green if valid, red if expired.

3. Switch Between Tabs

Use the tab navigation to switch views:

• Tree: Interactive claim hierarchy (default)
• Raw JSON: Syntax-highlighted, formatted header and payload
• Encoded: Base64Url segments with copyable text

4. Verify the Signature (Optional)

Scroll to the Signature Status card. Paste a secret (for HS256) or public key in PEM/SPKI format (for RS256). The tool uses the Web Crypto API to verify the signature in-browser. Results show:

• Verified — Signature matches
• Invalid — Tampered or wrong key
• Unsigned — alg: none

5. Export Your Findings

Use the export buttons to:

• Copy header, payload, or full decoded JSON
• Download jwt-decoded.json
• Capture a high-resolution PNG of the current view

6. Go Offline (PWA)

Click the install icon in your browser’s address bar to add JWT Viz to your home screen. It works fully offline—ideal for secure environments or travel.

Pro tip: Use “Expand All” in tree view to audit every claim at once.