Logo

MonoCalc

/

JWE Tool

Encode/Decode

Algorithm Configuration

Strong – RSA-OAEP-256 + A256GCM

Algorithm compatibility matrix

RSA public key (PEM/JWK, ≥2048-bit)

How JWE Works

JWE uses a two-level encryption approach: a random Content Encryption Key (CEK) is generated for each token and encrypted with your key management algorithm (alg). The actual payload is then encrypted with the CEK using the content encryption algorithm (enc). This means you only need to protect one key, regardless of payload size. All operations run in your browser — nothing leaves your device.

Token structure (compact):

BASE64URL(Header).BASE64URL(EncKey).BASE64URL(IV).BASE64URL(Ciphertext).BASE64URL(Tag)

About This Tool

🔐 JSON Web Encryption (JWE) – Encrypt & Decrypt Payloads

The JSON Web Encryption (JWE) Tool lets you encrypt sensitive JSON payloads and decrypt JWE tokens entirely in your browser. Built on RFC 7516, JWE provides confidentiality — the payload is fully encrypted so only the party holding the correct key can read it. This is fundamentally different from JWS/JWT, which only signs data but leaves it readable by anyone.

What Is JWE and Why Use It?

While JWT (JSON Web Token) with JWS ensures integrity and authenticity, the payload is merely Base64URL-encoded — any observer can decode and read it. JWE closes this gap by encrypting the payload before embedding it in the token. Common use cases include:

  • OIDC id_token encryption — OpenID Connect providers can deliver encrypted ID tokens so only your application can read user claims.
  • Secure API payloads — encrypt PII (personally identifiable information) before including it in tokens passed through untrusted intermediaries.
  • End-to-end encrypted messaging — JWE tokens carry encrypted messages between parties that each hold their own private key.
  • Encrypted refresh tokens — protect long-lived tokens so their contents remain confidential even if intercepted.

JWE Token Structure

A compact JWE token has five dot-separated Base64URL-encoded parts:

Protected Header

JSON object with alg, enc, kid, and other header claims — Base64URL encoded

Encrypted Key

The Content Encryption Key (CEK), wrapped with the key management algorithm. Empty for dir mode.

Initialization Vector

Random IV/nonce used by the content encryption algorithm (12 bytes for GCM, 16 for CBC)

Ciphertext

The encrypted payload produced by the content encryption algorithm

Authentication Tag

Integrity tag that proves the ciphertext and header have not been tampered with

The five parts are concatenated as: Header.EncryptedKey.IV.Ciphertext.Tag

Two-Level Encryption: alg and enc

JWE uses a two-level encryption design. Understanding both algorithm parameters is essential:

  • alg (Key Management Algorithm) — determines how the Content Encryption Key (CEK) is protected. For RSA-OAEP, the CEK is encrypted with the recipient's RSA public key. For AES Key Wrap (A256KW), the CEK is wrapped with a shared symmetric secret. For dir, no wrapping occurs — the shared key is the CEK directly.
  • enc (Content Encryption Algorithm) — the authenticated symmetric encryption algorithm applied to the actual payload. AES-GCM variants (A128GCM, A256GCM) are preferred for new applications due to their built-in authentication. AES-CBC variants (A128CBC-HS256) combine AES encryption with HMAC for authentication.

Supported Algorithms

algTypeKey Requirement
RSA-OAEPAsymmetricRSA public key (≥2048-bit) to encrypt; private key to decrypt
RSA-OAEP-256AsymmetricRSA public key (≥2048-bit); SHA-256 hash
A128KW / A256KWSymmetric16 / 32 byte shared secret (Base64)
A128GCMKW / A256GCMKWSymmetric16 / 32 byte shared secret — GCM key wrapping
dirDirectRaw CEK matching enc byte length requirement
ECDH-ESAsymmetricEC public key (P-256/P-384/P-521) to encrypt; private key to decrypt
ECDH-ES+A128KW / +A256KWAsymmetricEC key pair — ECDH-derived key wraps CEK

Key Format Guide

This tool accepts keys in the following formats:

  • PEM (RSA / EC) — paste the key between -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- markers. For decryption, use -----BEGIN PRIVATE KEY----- (PKCS#8) or -----BEGIN RSA PRIVATE KEY----- (PKCS#1).
  • JWK JSON — paste the full JWK object, e.g. {"kty":"RSA","n":"...","e":"AQAB"}. The tool auto-detects JWK vs PEM by checking if the input starts with {.
  • Base64 (Symmetric) — for AES-KW and dir algorithms, provide the raw key bytes encoded as standard or URL-safe Base64.

Security Considerations

  • All cryptographic operations run entirely in your browser via the WebCrypto API. No keys or plaintext are transmitted to any server.
  • Prefer RSA-OAEP-256 + A256GCM or ECDH-ES + A256GCM for new applications — these provide the strongest security posture.
  • The authentication tag guarantees both confidentiality and integrity. If the token is tampered with or the wrong key is used, decryption will fail with an authentication error — never silently return garbage data.
  • For dir mode, never reuse the same key with the same IV. Each encryption call generates a fresh random IV automatically.
  • Avoid pasting production private keys into online tools. Use test key pairs for exploration and learning with this tool.

JWE vs JWS vs JWT: Quick Reference

StandardPurposePartsPayload Readable?
JWT (via JWS)Signed token — verify identity3Yes (Base64URL)
JWSSign any content for integrity/auth3Yes (Base64URL)
JWEEncrypt payload for confidentiality5No (encrypted)

Frequently Asked Questions

Is the JWE Tool free?

Yes, JWE Tool is totally free :)

Can I use the JWE Tool offline?

Yes, you can install the webapp as PWA.

Is it safe to use JWE Tool?

Yes, any data related to JWE Tool only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What is JSON Web Encryption (JWE) and how does this tool work?

JSON Web Encryption (JWE) is a standard (RFC 7516) for representing encrypted content using JSON-based data structures. Unlike JWT/JWS which only signs data, JWE fully encrypts the payload so only the intended recipient holding the correct key can read it. This tool lets you encrypt payloads and decrypt JWE tokens entirely in your browser — no data is ever sent to a server.

What is the difference between JWE and JWS/JWT?

JWS (JSON Web Signature) signs a payload to ensure integrity and authenticity — the payload is Base64URL-encoded but readable by anyone. JWE (JSON Web Encryption) encrypts the payload for confidentiality — only the key holder can decrypt it. A JWE compact token has 5 dot-separated parts (header, encrypted key, IV, ciphertext, tag) while a JWS/JWT has only 3.

Which key management (alg) and content encryption (enc) algorithms are supported?

This tool supports key management algorithms RSA-OAEP, RSA-OAEP-256, A128KW, A192KW, A256KW, A128GCMKW, A256GCMKW, dir, ECDH-ES, ECDH-ES+A128KW, and ECDH-ES+A256KW. For content encryption (enc), it supports A128GCM, A192GCM, A256GCM, A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512.

What key formats are accepted?

Keys can be provided as PEM (-----BEGIN PUBLIC KEY-----, -----BEGIN PRIVATE KEY-----, -----BEGIN RSA PRIVATE KEY-----) or as JWK JSON objects. For symmetric key wrap algorithms (A128KW, A256KW, dir), provide the raw key as a Base64-encoded string. The tool auto-detects the format you paste.

Is my private key or sensitive payload safe when using this tool?

Yes. All cryptographic operations run entirely client-side in your browser using the `jose` library and the WebCrypto API. No keys, payloads, or tokens are transmitted to any server. For extra caution, avoid pasting production private keys into online tools — use test/demo keys for exploration.

What does the JWE anatomy visualizer show?

The anatomy visualizer color-codes the 5 compact segments of a JWE token: the protected header (blue), encrypted key (orange), initialization vector (green), ciphertext (purple), and authentication tag (red). Hover over or click any segment to see its decoded content and byte length.