formatter.input (JWT)
formatter.output

validator.jwt.noJwtDecoded

validator.jwt.pasteAndValidate

JWT Validator — Decode, Inspect & Verify JSON Web Tokens Instantly

Authentication is working. Then it isn't.

A user can't log in. An API call returns 401. A service-to-service request is being rejected. The error message says "invalid token" or "unauthorized" — and nothing else.

The token is the first thing you need to look at. What algorithm was used? When does it expire? What claims are inside? Paste the JWT above. Our validator decodes it immediately — header, payload, and signature — and shows you every claim in plain, readable JSON. No libraries. No debugger setup. Know what's inside the token in seconds.

What Is a JWT — and Why Is It Everywhere?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, self-contained token. It's the dominant mechanism for authentication in modern apps. A JWT carries everything a service needs to verify a user's identity and permissions without querying a database.

Common Uses

  • OAuth 2.0 access tokens (Auth0, Okta, Cognito)
  • OpenID Connect ID tokens
  • Service-to-service authentication
  • API gateway authorization

Wait, what is "Bearer"?

You'll often see JWTs used as Authorization: Bearer <token>. "Bearer" means "give access to the bearer of this token" — like a cash banknote. If you have it, you can spend it.

Anatomy of a JWT — Three Parts, One Token

Every JWT consists of exactly three Base64URL-encoded parts separated by dots: header.payload.signature.

Part 1

The Header

The header is a JSON object describing the token type and the signing algorithm.

{
  "alg": "RS256",
  "typ": "JWT"
}

Common Algorithms (`alg`)

AlgTypeLevelNotes
HS256SymmetricStandardSame key signs/verifies. Not for public APIs.
RS256AsymmetricHighPrivate signs, public verifies. Preferred.
ES256AsymmetricHighSmaller keys, same security as RSA.
noneNoneDangerNo signature. Reject immediately.
Part 2

The Payload

Contains claims about the entity (user) and metadata.

{
  "sub": "user_123",
  "name": "Alice Smith",
  "roles": ["admin"],
  "exp": 1704070800
}

Registered Claims

ClaimFull NameDescription
subSubjectUnique identifier of the user (e.g. user ID).
issIssuerWho issued the token (e.g. https://auth.example.com).
audAudienceWho the token is intended for (e.g. api.example.com).
expExpirationUnix timestamp when token expires.
iatIssued AtUnix timestamp when token was created.
Part 3

The Signature

Cryptographic proof that the headers and payload haven't been modified. Computed by signing the encoded header+payload with a secret key.

signature = sign(
  base64url(header) + "." + base64url(payload),
  secret_or_private_key,
  algorithm
)

The 7 Most Common JWT Problems — Diagnosed and Fixed

Token Expired (exp)

The most common issue. The `exp` timestamp is in the past. Fix: Re-authenticate or implement refresh tokens.

Wrong Audience (aud)

Token valid but rejected? Check `aud`. If the token is for `api.example.com` and you are `admin.example.com`, reject it.

Wrong Issuer (iss)

Token from dev env hitting prod? `iss` mismatch causes 401s. Check for trailing slashes or http/https diffs.

alg: none Attack

Attacker sends a token with `alg: none` and no signature. If your library accepts it, they can forge admin access.

Algorithm Confusion

Attacker signs with HS256 using your public key. If your server expects RS256 but honors the header, it verifies a forgery.

Clock Skew

Token fails `nbf` or `exp` due to slight server time drift. Fix: Add a 30s clock tolerance window in your validator.

Wrong Transport

Sending token in query (unsafe) or non-Bearer header. Use `Authorization: Bearer <token>`.

JWT Security — What You Must Never Do

Never store JWTs in localStorage

XSS vulnerabilities give attackers full access to localStorage. Use HttpOnly cookies instead.

Never accept alg: none

Explicitly reject unsigned tokens in your JWT library configuration.

Never put secrets in the payload

The payload is Base64 encoded, NOT encrypted. Anyone can read it. No passwords allowed.

Never trust the alg header

Always force verification using the algorithm YOU expect (e.g., RS256), ignoring what the token says.

Frequently Asked Questions

Is it safe to paste a JWT into an online tool?

We process everything client-side, but standard practice is to use test tokens for online tools. Inspect production tokens in secure local environments.

Can your tool verify the JWT signature?

We decode and validate structure. Signature verification requires the secret/public key, which should be done server-side.

What is the difference between JWT and session tokens?

Session tokens reference data stored on the server (DB lookup required). JWTs carry the data inside them (no DB lookup, but harder to revoke).

How do I revoke a JWT?

You can't delete it. Options: short expiry times, rotate keys, or maintain a blocklist of revoked IDs (jti).

What is JWKS?

JSON Web Key Set. A public endpoint where identity providers (like Auth0) publish public keys for verifying signatures.

What does exp mean in a JWT?

Expiration Time. It's a Unix timestamp. If current time > exp, the token is invalid.

RS256 vs HS256?

HS256 = Symmetric (shared secret). RS256 = Asymmetric (Public/Private Key). Use RS256 for public APIs.

Related Free Developer Tools

JSON ValidatorJSON FormatterBase64 Encode/DecodeUUID ValidatorJSON Schema Generator

401? Start Here.

Paste the token. See every claim. Know in ten seconds whether it's expired or misconfigured.

All Tools

Formatters

Validators

Transformers

Converters

Comparators