TK TaskKit

Comparison · Updated 2026-05-05

TaskKit's JWT tools vs jwt.io

Both tools decode and verify JSON Web Tokens entirely in your browser. The practical differences come down to what each one loads alongside the editor, how it behaves on a slow or hostile signature, and a handful of features one has and the other doesn't. The summary below is measured; the rest of the page is the full picture.

Summary

  • Privacy: TaskKit makes 0 third-party network calls on first paint. jwt.io makes 10 (OneTrust cookie consent, Adobe Experience Platform, Google Tag Manager).
  • Algorithm and key-format coverage: identical on both for the JWT spec — HS / RS / PS / ES / EdDSA, JWK and full JWKS (matched by kid), x5c, PKCS#1 / PKCS#8 / X.509 PEM. TaskKit additionally accepts an EdDSA key as raw hex or base64url.
  • Runtime safety: TaskKit verifies signatures in a Web Worker with a 2-second timeout, so an adversarial token cannot freeze the page. jwt.io verifies on the main thread.
  • Where jwt.io is stronger: a curated Libraries directory, a long-form Introduction page, and per-claim links into the relevant RFCs.
  • What TaskKit deliberately omits: auto-fetching a JWKS from a URL (would require an outbound call). Open TaskKit's decoder.

Privacy, measured

Both tools claim to do their work in the browser. That claim is only meaningful if you can verify it. Each page below was loaded on 2026-05-05 in a fresh Chrome profile with cache cleared, and every outbound network request was counted before a single character was typed. The same test runs against TaskKit's JWT decoder.

First-paint network jwt.io TaskKit
Third-party requests100
OneTrust cookie consent SDKLoaded (5 calls)No
Adobe Experience Platform / DTMLoaded (3 calls)No
Google Tag ManagerLoadedNo
Geolocation lookuponetrust.com geo endpointNo
Cookie consent bannerYes, blocks initial paint until dismissedNone
Login wall on advanced featuresNoNo

Every one of those calls fires before you paste a token. None of them are required for the page to decode a JWT — they are analytics, tag management, and consent-flow infrastructure. TaskKit ships none of it. More about how TaskKit handles your data.

Feature matrix

Both tools cover essentially the full JWT specification. Below is what each one accepts today, grouped by category.

Capability jwt.io TaskKit
Algorithms
HS256 / 384 / 512YesYes
RS256 / 384 / 512YesYes
PS256 / 384 / 512YesYes
ES256 / 384 / 512YesYes
EdDSA (Ed25519)YesYes (via @noble/ed25519)
Key formats
JWK (single)YesYes
JWKS with kid lookupYesYes
PEM SPKI (BEGIN PUBLIC KEY)YesYes
PEM PKCS#1 RSA (BEGIN RSA PUBLIC KEY)PartialYes (in-house ASN.1 reader)
X.509 certificate (BEGIN CERTIFICATE)YesYes (auto-extract SPKI)
x5c header auto-pickupYesYes (chain not validated, surfaced explicitly)
EdDSA hex / base64url rawNoYes (64 hex or 43 base64url chars)
Verification safety
Web Worker isolationNoYes
Catastrophic-backtracking timeoutNoYes (2s)
alg:none rejected with explanationYesYes
Encoder
Edit header / payloadYesYes
Form fields for registered claimsNoYes
PKCS#1 private keys accepted directlyNoYes (auto-wrapped to PKCS#8)
EdDSA private as hex / base64urlNoYes
One-click example tokenYesYes (current iat/exp computed live)
Privacy / runtime
All processing in browserYesYes
Zero third-party network callsNoYes
Cookie consent dialogYesNone
Optional Cloudflare Web Analytics (privacy-preserving, off by default)Off unless self-hosted with token

Runtime safety

WebCrypto's verify is fast on well-formed signatures. Against adversarial input it is not. Pathological RSA exponents, oversized keys, malformed Ed25519 signatures, or a maliciously-crafted JWKS can wedge the verifier long enough to freeze the tab — a real concern when the token in front of you came from an untrusted source.

TaskKit runs signature verification in a dedicated Web Worker with a 2-second wall-clock timeout. If the worker exceeds the budget it is terminated and the page shows an error instead of locking up. jwt.io verifies on the main thread, so a slow signature is a slow page. The same architecture protects TaskKit's regex tester (against (a+)+b-style backtracking) and its JSON formatter (against multi-megabyte parses).

Editor details that matter day-to-day

  • Three-colour highlighting inside the input. Both tools tint the three token segments, but jwt.io only tints them in a read-only "decoded" pane. TaskKit colours the segments in the textarea you are actually editing, which makes it easier to spot a mis-pasted dot.
  • Always-visible registered-claim labels. jwt.io's plain-English claim names (iat → "Issued at") live behind a "Claims Breakdown" tab. TaskKit shows them inline beneath the payload, so the dates and descriptions are visible at a glance.
  • Honest x5c handling. When a token's x5c header is used to verify, TaskKit's result chip reads "verified with the x5c certificate from the token header (chain not validated)" rather than implying end-to-end trust. Validating the chain back to a certificate authority would require fetching CA roots, which is out of scope for a browser-only tool.
  • HMAC base64url toggle. Some HMAC keys are stored as base64url-encoded bytes (a JWKS oct key with a k field, for example). A small toggle next to the algorithm chip switches the secret input between literal-string and base64url-bytes interpretation, so you don't have to decode it yourself.
  • EdDSA raw key input. Paste an Ed25519 key as 64 hex characters, 43 base64url characters, a JWK, or a PEM. jwt.io expects PEM or JWK only.

Where jwt.io is stronger

A useful comparison isn't a one-sided pitch. Three things jwt.io does clearly better today:

  • Libraries directory. A curated, browseable index of JWT libraries by language. If you are looking for an implementation to drop into a service, jwt.io's directory is the right place.
  • Long-form Introduction. A single canonical "what is a JWT" page that goes deep enough to teach the concept end-to-end. TaskKit's explainer beneath the decoder is shorter and tool-focused.
  • Per-claim RFC links. Every registered claim links to the section of the relevant RFC that defines it. A small thing, but useful when you are checking spec compliance.

What TaskKit deliberately leaves out

A privacy guarantee is easier to keep when there are no backdoors built in. A few features that other tools offer are intentionally absent here.

  • OIDC auto-discovery. Some tools let you paste an issuer URL and silently fetch .well-known/openid-configuration for the keys. That is an outbound request from your browser to a third party — and the URL itself can leak deployment details. TaskKit asks you to paste the JWKS instead.
  • JWKS-by-URL field. Same reasoning. A one-line curl in your terminal beats an outbound fetch from the page you are debugging.
  • Analytics by default. The codebase supports an optional, privacy-preserving Cloudflare Web Analytics token, but it stays off unless the operator explicitly enables it. The hosted version at taskkit.net keeps it off too.
  • Accounts and server-side history. Saving and sharing happen via URL fragments where supported. Nothing is stored on a server because there is no server.

Try TaskKit's JWT tools

JWT Decoder

Paste a token, inspect its claims, and verify the signature against a key, JWKS, or embedded x5c certificate.

JWT Encoder

Sign a token locally with HS, RS, PS, ES, or EdDSA. The private key stays in the tab.

Methodology

Measurements taken on 2026-05-05 with Chrome 147, DevTools cache disabled, and first-party cookies cleared. Network requests counted from initial page load through the moment before the first user keystroke. The feature matrix reflects each tool's behaviour on the same date and will be re-checked when either tool ships a material change.

jwt.io is a trademark of its respective owner. This page is not affiliated with or endorsed by jwt.io.