A JWT validator decodes and inspects JSON Web Tokens without requiring the secret key. Paste any JWT to see its header, payload claims, expiration status, and algorithm. Useful for debugging auth flows, checking token expiry, and understanding JWT structure. Note: signature verification is not possible without the secret.
Header
Payload
Claims Summary
How to Use the JWT Validator
JSON Web Tokens (JWTs) are the most common mechanism for stateless authentication in web APIs. They consist of three base64url-encoded parts separated by dots: header, payload, and signature. This JWT validator decodes the first two parts and analyzes the claims without needing the secret key.
Reading JWT Claims
The payload contains claims — assertions about the user and token metadata. Standard claims include sub (subject/user ID), exp (expiration timestamp), iat (issued at), iss (issuer), and aud (audience). Custom claims can include roles, permissions, and any application-specific data.
Checking Token Expiration
The exp claim is a Unix timestamp. If the current time exceeds this value, the token is expired and any properly implemented server will reject it. The validator compares the exp claim against the current time and shows a clear expired/valid status with a human-readable expiration date.
JWT Security Considerations
Never decode JWTs on the server side without verifying the signature — a decoded-but-unverified JWT can be tampered with. Always use a proper JWT library (jsonwebtoken for Node.js, python-jose for Python, etc.) that verifies the signature against your secret key or public key before trusting any claims.
Frequently Asked Questions
Is this JWT validator free?
Yes, completely free with no signup or account required.
Is it safe to paste my JWT here?
Everything runs locally in your browser — your token never leaves your device. That said, as a general security practice, avoid pasting production tokens with sensitive claims into any online tool.
Can this tool verify the JWT signature?
No. Signature verification requires the secret key, which only your server should have. This tool decodes and validates the structure, expiration, and format of the token for educational and debugging purposes.
What does 'token expired' mean?
JWT tokens contain an 'exp' (expiration) claim with a Unix timestamp. If the current time is past that timestamp, the token is expired and your server will reject it. You need to refresh or re-authenticate to get a new valid token.
What algorithms do JWTs use?
Common JWT signing algorithms include HS256 (HMAC-SHA256), HS512, RS256 (RSA-SHA256), and ES256 (ECDSA). The algorithm is specified in the header's 'alg' field. RS256 and ES256 use public/private key pairs, making them suitable for distributed systems where multiple services need to verify tokens.