JWT API
The same JWT engine behind the public verifier, exposed as a rate-limited HTTP API. Beta — we ship it when there's enough demand to support it.
Who would actually use this?
- Side services that need ad-hoc verification — Slack bots that check whether a paste is a valid JWT, audit tools, support dashboards.
- Bulk validation — pipelines that verify 10K tokens against multiple JWKS endpoints.
- Introspection-as-a-service — pretty-print +
anomaly flagging for support tooling (e.g., "this token has
alg:none", "thisissisn't in your allowlist").
Sign up for early access
Related
FAQ
Why a JWT API when every language has a JWT library?
You typically don't need this for production decode/verify — your server handles that locally with a JWKS cache. The API is for: (1) side-services that need ad-hoc verification (Slack bots, audit tools), (2) bulk-validation pipelines (verify 10K tokens against multiple JWKS endpoints), and (3) introspection-as-a-service (pretty-print + flagged anomalies for support tooling).
Estimated feature set?
Decode endpoint (no key, just splits + parses). Verify endpoint (provide a key or JWKS URL — we cache the JWKS for 5 minutes by default). Sign endpoint (HS256 only — RS256 signing usually wants to stay in your own KMS, not on a third party). Bulk variants on each.
Pricing range?
Estimated, will firm up once we have signups: Free — 1,000 verifications/month. ~$15–40/month — 100K. ~$80–250/month — bulk plus JWKS-cache control + audit logs. Enterprise above.
Will you ever see my secrets?
For HS256 verify, yes — the secret has to leave your machine to verify. We commit to: never log secrets, never persist them past a single request, and offer an enterprise tier where verification runs in a dedicated tenant. For most production cases, you should keep HS256 verification local and use this API only for ad-hoc / test fixtures.