Security

Kehai JWT helps you inspect JWTs in a safe, local-first way. Good security still depends on how you use tokens in production.

Secrets and sensitive tokens

Never paste production secrets or live access tokens into untrusted sites. Prefer test keys and sample JWTs. Clear the page or close the tab when you are done.

Algorithms

This tool currently supports HMAC-SHA256 (HS256) for signing and verification in the browser. Other algorithms (for example RS256) require different key material and are not implemented here.

Cryptography

Operations rely on the browser Web Crypto API. Use an up-to-date browser. If Web Crypto is unavailable, signing and verification will not work.

Report an issue

If you discover a security problem in this open-source project, please report it responsibly via the GitHub repository’s issue tracker or your organization’s security contact.