JWT Validator - Verify JSON Web Tokens Online
Free online JWT validator tool. Verify token signatures, decode headers and payloads, check expiration, and validate claims for security debugging.
JWT Validator
What is JWT Validator?
A JWT Validator is an essential security tool for developers working with JSON Web Tokens. It allows you to inspect and verify the integrity of JWTs by checking the signature against a secret key or public key.
This tool helps you:
- Decode tokens - View the header and payload claims in readable JSON format
- Verify signatures - Validate that the token hasn't been tampered with
- Check expiration - See if the token is still valid based on exp claim
- Debug authentication - Troubleshoot JWT-related issues in your application
JWTs consist of three Base64URL-encoded parts separated by dots: header.payload.signature. The validator parses each part and displays the contents while verifying the cryptographic signature.
Examples
Decode a simple HS256 token
Input:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cOutput:
Header: {alg: HS256, typ: JWT}
Payload: {sub: 1234567890, name: John Doe, iat: 1516239022}
Signature: ValidCheck token expiration
Input:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNjAwMDAwMDAwfQ.abc123Output:
Status: Expired
Expiration: September 13, 2020
Payload includes exp claimValidate RS256 signed token
Input:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...Output:
Algorithm: RS256
Requires public key for verification
Shows x5t or kid header if presentValidate JWT in Node.js
const jwt = require('jsonwebtoken');
// Validate HS256 token
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
console.log('Valid token:', decoded);
} catch (err) {
console.error('Invalid token:', err.message);
}
// Validate RS256 token with public key
const publicKey = fs.readFileSync('./public.pem');
const decoded = jwt.verify(token, publicKey, { algorithms: ['RS256'] });Common Mistakes
- βAccepting tokens with 'none' algorithm - Always reject unsigned tokens in production.
- βNot validating the algorithm header - Attackers can change 'alg' to exploit vulnerabilities.
- βIgnoring token expiration - Always check the exp claim before trusting a token.
- βHardcoding secret keys - Use environment variables or secret management systems.
- βNot checking issuer (iss) and audience (aud) - Validate these claims to prevent token reuse across services.
π Security Note
Never share production JWTs or secret keys in public validators. This tool runs entirely in your browser, but always be cautious when pasting sensitive tokens.
Frequently Asked Questions
What is JWT validation?βΌ
JWT validation is the process of verifying that a JSON Web Token is authentic and hasn't been tampered with. It involves checking the signature, decoding the claims, and validating standard claims like expiration (exp), issuer (iss), and audience (aud).
How do I validate a JWT signature?βΌ
For HS256 (HMAC) tokens, you need the secret key that was used to sign it. For RS256 (RSA) tokens, you need the public key. The validator recomputes the signature and compares it to the one in the token.
What claims should I check in a JWT?βΌ
At minimum, check: exp (expiration), iat (issued at), nbf (not before), iss (issuer), and aud (audience). These standard claims help ensure the token is valid and intended for your application.
Can I use this tool for production tokens?βΌ
This tool is designed for development and debugging. It runs client-side in your browser, so your tokens never leave your device. However, never paste production secrets or sensitive tokens into any online tool.