JWT Validator
SecurityValidate and decode JSON Web Tokens (JWT) instantly. Checks structure, decodes header and payload claims, and flags expired tokens — client-side only.
{"alg": "HS256","typ": "JWT"}{"sub": "1234567890","name": "John Doe","iat": 1516239022}What is a JWT?
The JWT Validator decodes and checks the structural validity of a JSON Web Token (JWT) — the compact authentication token format used in virtually every modern REST API, OAuth 2.0 implementation, and OpenID Connect identity flow.
A JWT consists of three Base64URL-encoded sections joined by dots: header.payload.signature. The header is a JSON object containing the signing algorithm (alg) and token type (typ). The payload is a JSON object containing the claims — who the token is about, when it expires, who issued it, and any application-specific data. The signature cryptographically binds the header and payload to a secret key, preventing tampering.
This validator:
- Confirms the token has the correct three-part structure
- Base64URL-decodes the header and payload and parses them as JSON
- Displays all decoded claims with Unix timestamps converted to human-readable ISO 8601 dates
- Checks the
exp(expiry) claim against the current time and reports whether the token is live or expired - Reports the signing algorithm (
alg) from the header — alerting you if dangerous values likenoneare present
What it does not do: Cryptographic signature verification requires the signing secret (HS256/384/512) or public key (RS256, ES256). Without the key, it is not possible to confirm that the token was signed by the claimed issuer — only that the signature field is structurally present. For production signature verification, use a JWT library with the correct key in your server code.
All decoding runs client-side in your browser. Tokens are never transmitted or stored — critical for tokens containing sensitive claims like user IDs or roles.
Use the Password Strength Validator for evaluating password security, or the JSON Validator if you need to validate a raw JSON payload outside of a JWT context.
How to use this JWT calculator
- Find your JWT — copy it from an Authorization header (
Bearer eyJ...), browser localStorage/sessionStorage, a Postman response, a debug log, or a curl output. Remove theBearerprefix if present — paste only the token itself. - Paste the token into the "JWT Token" textarea.
- Check the Valid/Invalid badge — green means the structure is correct and all three sections decode to valid JSON; red means a structural problem was found.
- Read the details panel — header claims first (algorithm, type), then payload claims (all key-value pairs with timestamps in ISO format), then expiry status, then signature note.
- Check the expiry line — if the token has expired, the details show exactly when and how long ago, which immediately identifies whether a token refresh is needed.
- Note the algorithm from the header — confirm it is the expected algorithm for your system; flag
alg: noneimmediately as a security concern. - Compare claims to expectations — confirm
iss,aud,sub, and any custom claims match what your server expects before concluding the auth issue lies elsewhere.
Formula & Methodology
JWT structure:<Base64URL(header)>.<Base64URL(payload)>.<Base64URL(signature)>Base64URL encoding differs from standard Base64 in two character substitutions:+→-and/→_, and trailing=padding is omitted. Decoding reverses these substitutions and re-adds padding before standard Base64 decoding. Decoding algorithm: 1. Split the token on.— expect exactly 3 parts. 2. For each of header and payload: replace-with+,_with/, pad to a multiple of 4 characters with=, then applyatob()to decode Base64 to a UTF-8 string, then parse as JSON. 3. Check that the resulting objects are valid JSON — malformed JSON in either section indicates a corrupted or truncated token. 4. Readheader.algfor the algorithm, readpayload.expfor the expiry Unix timestamp. Expiry check:expired = payload.exp < Math.floor(Date.now() / 1000)Valid and invalid examples: | Token | Valid? | Note | |---|---|---| |eyJ...Z.eyJ...Z.sig(3 parts, valid JSON) | ✓ | Structurally valid | |eyJ...Z.eyJ...Z(2 parts) | ✗ | Missing signature section | |notbase64.notbase64.notbase64| ✗ | Header/payload fail JSON parse | | Valid structure,expin past | ✓ structural / ⚠ expired | Token is well-formed but expired | |eyJ..alg:none..Z.eyJ...Z.| ✓ structural / ⚠ insecure | Structurally valid butalg:noneis a security risk | Use the JSON Validator to validate the raw decoded payload JSON, or the Password Strength Validator for evaluating secrets used in HMAC-signed JWTs.
Frequently Asked Questions