ShellYard

JWT verify + sign

Full JWT lifecycle — decode with claim annotations, verify against HMAC / RSA / ECDSA / PSS keys, mint fresh tokens. exp / nbf / iat broken down even when the signature fails. Free on every tier.

JWT support inside Encoders & Decoders is now the full lifecycle, not just decode. Free on every tier.

Decode

Paste any compact JWT (header.payload.signature). The header and payload render as pretty JSON with claim annotations:

  • iss, aud, sub — labelled
  • exp, nbf, iat — converted to human time and compared against now
  • Standard claim glossary on hover

Decoding works regardless of signature validity — you see what the token says even when the verify step would reject it.

Verify

Switch to Verify and supply a key:

  • HMAC (HS256 / HS384 / HS512) — paste the shared secret
  • RSA (RS256 / RS384 / RS512) — paste a PEM public key
  • RSA-PSS (PS256 / PS384 / PS512) — same PEM, PSS padding
  • ECDSA (ES256 / ES384 / ES512) — PEM EC public key

JWKS-shaped keys are accepted directly — paste the { "kty": "RSA", ... } JSON and ShellYard parses it.

The result shows:

  • Signature — verified / invalid (with reason: bad key, algorithm mismatch, malformed)
  • Validity window — passes, future-dated (nbf not yet reached), or expired (exp in the past)
  • Claim breakdown — even if the signature fails, the exp / nbf / iat analysis still runs against the decoded claims

Sign

Switch to Sign to mint a fresh token:

  1. Pick the algorithm (HS256 / RS256 / ES256 / etc.)
  2. Paste the signing key (HMAC secret or PEM private key)
  3. Edit the header and payload JSON
  4. Click Sign — the compact JWT lands in the output box, ready to copy

iat is filled in automatically; exp defaults to one hour out and is editable.

Tier behavior

JWT verify + sign is on every tier including Free. Keys you paste stay in the local tool tab — they aren’t persisted unless you copy them into the vault yourself.