JWT Validator
Decode and verify JWT tokens. Inspect the header and payload, check expiration, and validate HS256 signatures — all in your browser.
Never paste production tokens into online validators. All verification is client-side.
How to Use This Tool
Paste your JWT token into the "Token" field. The tool will immediately decode and display the header and payload sections in formatted JSON — no secret required for decoding.
To verify the signature, enter your HS256 secret key in the "Secret" field and click "Verify". The tool will confirm whether the signature is valid and check if the token is expired based on the "exp" claim.
Use this tool to debug authentication issues, inspect token contents during development, or verify that your signing logic is producing well-formed tokens before deploying.
Code Examples
const jwt = require('jsonwebtoken');
// Decode without verification (inspect claims only)
const decoded = jwt.decode(token, { complete: true });
console.log(decoded.header); // { alg: 'HS256', typ: 'JWT' }
console.log(decoded.payload); // { userId: 123, exp: 1700000000 }
// Verify signature and expiration
try {
const payload = jwt.verify(token, secret, { algorithms: ['HS256'] });
console.log('Valid token:', payload);
} catch (err) {
console.error('Invalid token:', err.message);
}Frequently Asked Questions
What is the difference between decoding and verifying a JWT?
Decoding simply base64-decodes the header and payload sections — it does not check the signature or expiration. Anyone can decode a JWT without the secret. Verification checks that the signature matches (proving the token was signed by someone with the secret) and that the token has not expired.
Can I use this tool to verify RS256 tokens?
This tool currently supports HS256 (symmetric HMAC) verification only, which requires a shared secret. RS256 tokens use an RSA private/public key pair — verification requires the public key. For RS256, use a library like jsonwebtoken (Node.js) with the public key from your authorization server's JWKS endpoint.
Is it safe to paste my token here?
Yes. All processing happens in your browser — the token and secret never leave your device. However, treat your JWT tokens like passwords: avoid pasting production tokens with long expiration times into any third-party tool. Short-lived tokens (15-60 minutes) are far safer to inspect.
Why does my token show as valid even with the wrong secret?
This happens only if you leave the secret field empty — the tool then skips signature verification and only decodes the payload. Enter your secret to perform full signature verification.