Skip to content
100% in your browser. Nothing you paste is uploaded — all processing runs locally. Read more →

JWT API

The same JWT engine behind the public verifier, exposed as a rate-limited HTTP API. Beta — we ship it when there's enough demand to support it.

Who would actually use this?

Sign up for early access

The submit button composes a draft email in your client. Nothing is uploaded — your mail goes out from your own address. We won't add you to a marketing list.

Related

FAQ

Why a JWT API when every language has a JWT library?

You typically don't need this for production decode/verify — your server handles that locally with a JWKS cache. The API is for: (1) side-services that need ad-hoc verification (Slack bots, audit tools), (2) bulk-validation pipelines (verify 10K tokens against multiple JWKS endpoints), and (3) introspection-as-a-service (pretty-print + flagged anomalies for support tooling).

Estimated feature set?

Decode endpoint (no key, just splits + parses). Verify endpoint (provide a key or JWKS URL — we cache the JWKS for 5 minutes by default). Sign endpoint (HS256 only — RS256 signing usually wants to stay in your own KMS, not on a third party). Bulk variants on each.

Pricing range?

Estimated, will firm up once we have signups: Free — 1,000 verifications/month. ~$15–40/month — 100K. ~$80–250/month — bulk plus JWKS-cache control + audit logs. Enterprise above.

Will you ever see my secrets?

For HS256 verify, yes — the secret has to leave your machine to verify. We commit to: never log secrets, never persist them past a single request, and offer an enterprise tier where verification runs in a dedicated tenant. For most production cases, you should keep HS256 verification local and use this API only for ad-hoc / test fixtures.