# Inspect certs, tokens & SSO — privately

> Identity Inspector decodes X.509 certificates (and chains/CSRs), JWT/JWS tokens, SAML requests and responses, and OIDC discovery documents entirely in your browser. It shows subjects, validity windows, expiry countdowns, SANs, key usage, fingerprints, JWT claims with an iat/nbf/exp timeline, and SSO assertions — and flags problems like expired certs, alg:none, clock skew, and audience mismatch. Nothing is uploaded; certificates and tokens, which carry private keys, emails, roles and tenant IDs, never leave your device.

Live tool: https://lofttools.com/tools/security-tools/identity-inspector

Category: Security & Privacy


## What it does

- Decode X.509 certificates: subject, issuer, validity + expiry countdown, SANs, key usage, EKU, basic constraints, AIA/OCSP, CRL points, policies
- SHA-1 and SHA-256 fingerprints computed locally via the Web Crypto API
- Certificate chain builder: paste a bag of PEMs, get them ordered leaf→root with missing-intermediate and validity flags
- Certificate expiry dashboard: drop many certs, see a table sorted by days-to-expiry
- Decode CSRs (PKCS#10) and match a CSR or key against a certificate by public key
- JWT/JWS decode: pretty-printed header + claims, with an iat/nbf/exp timeline and human countdowns
- Optional JWT signature verification against a pasted public key or JWKS (RS/ES/PS/EdDSA) — never a server secret
- JWKS inspector: match a token's kid to a key and verify with it
- SAML decode: inflate + pretty-print AuthnRequests and Responses; extract Issuer, NameID, Conditions, Audience, Attributes; flag clock skew and audience mismatch
- OIDC discovery viewer: render endpoints, scopes, claims, grant types and signing algorithms from .well-known/openid-configuration
- Runs 100% in your browser — certificates and tokens never leave your device

## How it works

1. **Pick what you have** — Choose Certificate, JWT, SAML or OIDC — or just paste and let the tool auto-detect the format.
2. **Paste or drop it** — Paste the PEM/token/blob, or drop a .pem/.crt/.cer/.der file. Decoding happens in your browser.
3. **Read the breakdown** — See the decoded fields, validity and expiry, fingerprints or claims, and any flagged problems — then export or copy.

## FAQ

### Is my certificate or token uploaded anywhere?

No. Everything is decoded in your browser with JavaScript and the Web Crypto API — nothing is sent to a server. This matters because these artifacts are sensitive: a JWT carries emails, roles, permissions and tenant IDs; a PKCS#12 or CSR can carry key material. Open DevTools' Network tab and you'll see no request leave the page.

### Why not just use jwt.io or an SSL decoder site?

jwt.io now decodes JWTs client-side, so it doesn't upload your token — but it only handles JWTs. Most SSL/TLS certificate and SAML decoder sites still process your blob server-side, which is exactly what security teams tell you not to do with production certs and assertions full of PII. Identity Inspector decodes X.509, JWT, SAML and OIDC locally in one tool, so nothing leaves your machine for any of the four.

### Can it verify a JWT signature?

Yes, for RS, ES, PS and EdDSA algorithms, by pasting the public key (SPKI PEM), an X.509 certificate, or a JWKS — public keys are safe to handle. It deliberately does not offer HS256 secret verification, because asking you to paste a server's shared secret would defeat the privacy model. For certificates it inspects validity windows and structure; it does not perform live CA/CRL/OCSP trust checks.

### What can it do with SAML?

Paste a base64 SAMLRequest or SAMLResponse (redirect-binding deflate and POST-binding raw base64 both work). It inflates and pretty-prints the XML and extracts Issuer, NameID, Conditions (NotBefore/NotOnOrAfter), AudienceRestriction, AttributeStatement and SubjectConfirmation, flagging clock skew and audience mismatch. It checks structure and timestamps, not the XML signature cryptographically.

### What file and token formats are supported?

Certificates as PEM or DER (.pem/.crt/.cer/.der), one or many at once; PKCS#10 CSRs; JWT/JWS compact tokens; JWKS JSON; base64 SAML; and OIDC .well-known/openid-configuration JSON. Auto-detect handles most pastes; you can also force a mode.

## Tips

- **Paste and auto-detect** — Just paste — the tool recognizes PEM certs, CSRs, JWTs, SAML blobs and OIDC JSON and switches mode for you. Override with the mode tabs if needed.
- **Drop a folder of certs** — Paste or drop multiple PEM certificates to build a chain (leaf→root, missing-intermediate flags) or an expiry dashboard sorted by days remaining.
- **Verify without secrets** — Paste an RS/ES/PS/EdDSA public key, X.509 cert, or JWKS to verify a JWT signature. Public keys are safe; the tool never asks for a server secret.

## Identity Inspector vs. the usual decoders

|  | Loft Identity Inspector | jwt.io | SSL decoder sites | SAML debuggers |
| --- | --- | --- | --- | --- |
| Runs locally (no upload) | Yes | Yes (client-side) | Uploads your cert | Uploads your blob |
| X.509 + chain + CSR | Yes | No | Cert only | No |
| JWT + JWKS verify | Yes (public key) | Yes | No | No |
| SAML + OIDC | Yes | JWT only | No | SAML only |
| Handles PII safely | Never leaves tab | Stays in tab | Vendor server | Vendor server |
| One tool for all four | Yes | JWT only | Cert only | SAML only |
| Cost | Free | Free | Free/ads | Free/ads |

_Decode and inspect, not live trust verification — no CA/CRL/OCSP fetch, no revocation check, and signature verification only with public keys/JWKS you paste, never server secrets. jwt.io decodes client-side too; the upload risk is with the server-side SSL and SAML decoder sites._

## Privacy — what we do not do

This tool runs entirely in the browser via WebAssembly. Your file never reaches a Loft Tools server. Specifically:

- **No upload.** The file bytes load into the browser tab's memory and process on your own CPU. Open DevTools → Network and observe zero outbound requests carrying file data while Inspect certs, tokens & SSO — privately runs.
- **No AI training on your file.** Loft does not train models. We could not train on a file we cannot see.
- **No content scanning.** No virus, copyright, or content-moderation pass against your file. The bytes are not accessible to us.
- **No server-side log of file contents, filenames, or EXIF metadata.** Cloudflare edge captures URL and truncated IP for abuse defense (standard CDN behaviour). Cloudflare Web Analytics records anonymous page hits, no cookies, no PII. Nothing about your file content reaches any log.
- **No retention.** Close the tab and the file leaves browser memory. No backups exist on our side because no copy ever existed on our side.
- **No account.** No email, no signup, no auth, no telemetry tied to you.
- **Offline-capable after first visit** (PWA). Once you've loaded a tool, it caches; later sessions work without internet. For high-sensitivity files, run the tool once online to warm the cache, then disconnect before processing.

Compare with upload-based services: each transmits your file to a processing server. Even over HTTPS, each has logs, retention windows, and subpoena exposure. Loft has none of these because the server architecture does not include your file.

## More

- All tools: https://lofttools.com/tools
- Category: https://lofttools.com/tools/security-tools
- LLM index: https://lofttools.com/llms.txt