This site is not affiliated with or endorsed by Cloudflare, Inc. It simply showcases experiments built using Cloudflare services.
Cloudflare Experiments

JWT Inspector

Decode, verify, and issue JWTs for experimentation using Web Crypto

Inspect JSON Web Tokens at the edge: decode header and payload without verification, verify HS256/RS256 signatures, and issue test HS256 tokens for experimentation.

Features

  • POST /decode - Parse JWT header and payload (no crypto verification)
  • POST /verify - Verify HS256 (secret) or RS256 (public key PEM)
  • POST /issue - Mint test HS256 tokens with configurable expiry
  • Web Crypto - No external JWT libraries required

API Reference

POST /decode

Decode a JWT without verifying the signature.

Prop

Type

Example Request

curl -X POST "https://your-worker.workers.dev/decode" \
  -H "Content-Type: application/json" \
  -d '{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'

Success Response

{
  "header": { "alg": "HS256", "typ": "JWT" },
  "payload": { "sub": "user-1", "exp": 1710000000 }
}

Error Codes

  • 400 - Invalid JSON (INVALID_BODY), token (INVALID_TOKEN), or decode error (DECODE_ERROR)

POST /verify

Verify a JWT signature.

Prop

Type

Provide secret (HS256) or publicKey (RS256), not both.

Example Request

curl -X POST "https://your-worker.workers.dev/verify" \
  -H "Content-Type: application/json" \
  -d '{"token":"eyJ...","secret":"demo-secret-key"}'

Success Response

{
  "valid": true,
  "algorithm": "HS256",
  "payload": { "sub": "alice", "exp": 1710000000 }
}

Error Codes

  • 400 - Invalid body/token (INVALID_BODY, INVALID_TOKEN, MISSING_KEY, VERIFY_ERROR)

POST /issue

Issue a test HS256 JWT.

Prop

Type

Example Request

curl -X POST "https://your-worker.workers.dev/issue" \
  -H "Content-Type: application/json" \
  -d '{"secret":"demo-secret-key","subject":"alice","expiresInSeconds":3600}'

Success Response

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "payload": {
    "sub": "alice",
    "iat": 1710000000,
    "exp": 1710003600,
    "iss": "jwt-inspector-demo"
  }
}

Error Codes

  • 400 - Invalid body or secret (INVALID_BODY, INVALID_SECRET)
  • 502 - Signing failed (ISSUE_ERROR)

Use Cases

  • Debug JWT payloads during API integration
  • Test HS256/RS256 verification logic before production auth
  • Generate short-lived test tokens for local development

Limitations

  • Demo tool only; not a production identity provider
  • RS256 verification requires PEM public key in request body
  • No support for JWKS fetching or exotic algorithms

Deployment

Click the deploy button

Deploy to Cloudflare Workers

Test your deployment

curl -X POST "https://your-worker.workers.dev/issue" \
  -H "Content-Type: application/json" \
  -d '{"secret":"demo-secret-key","subject":"alice"}'

Local Development

cd apps/experiments/jwt-inspector
npm install
npm run dev

Cloudflare Features Used

Turnstile Verify

Verify Cloudflare Turnstile tokens via the siteverify API

Rate Limiter Demo

Native Workers Rate Limiting binding with 429 responses and usage visualization

On this page

FeaturesAPI ReferencePOST /decodeExample RequestSuccess ResponseError CodesPOST /verifyExample RequestSuccess ResponseError CodesPOST /issueExample RequestSuccess ResponseError CodesUse CasesLimitationsDeploymentClick the deploy buttonTest your deploymentLocal DevelopmentCloudflare Features Used