Integrity verification and JWT decoding with Web Crypto API: the files, tokens, secrets and keys you provide are processed in your browser.
Aimed at developers, security teams and sysadmins who need to verify a download's integrity, decode a session token or compute a cryptographic hash of a string. The three share a property: the file, token or secret you provide is processed locally and is not sent to any server.
Hash computation uses Web Crypto API for SHA-* and local code for MD5. JWT signature verification uses Web Crypto API for HMAC, RSA and ECDSA. No input (text, file, secret, key) is sent to any server. Verify it by opening DevTools on the Network tab while using each tool.
The two utilities in the cluster, with complementary tasks: hash for content integrity, JWT for token-based authentication.
Hash and checksum calculator with SHA-256, SHA-1, SHA-384, SHA-512 and MD5 over text or files. Includes an expected hash field to verify downloads.
JWT decoder and verifier with HS256/384/512, RS256/384/512 and ES256/384/512. Rejects `alg: none` and flags algorithm/key mismatches.
| Your situation | Tool |
|---|---|
| I want to verify that a downloaded .iso matches the published SHA-256 | Hash / checksum |
| I have a JWT from a log and I need to read its claims | JWT decoder |
| I want to confirm that a JWT was really signed by my identity provider | JWT decoder (verify) |
| I need a SHA-256 digest of a stable string as an identifier | Hash / checksum |
| I see a token declaring `alg: none` and want to audit the risk | JWT decoder (rejects alg none) |
The two editorial guides in this cluster cover the concepts behind the tools: hash functions and checksums for integrity, and JWT in practice with claims, expiration and common pitfalls.
ToolsOps