JWT Validator

What This Tool Does

• Decodes the header and payload of any signed JWT and displays them with syntax highlighting
• Warns when a token uses alg: none, which has no signature and should never be trusted in production
• Inspects standard claims (exp, nbf, iat) and shows timestamps and validity status
• Displays all claims in the payload (both standard and custom) in a human-readable format
• Optionally verifies the cryptographic signature using a public key or shared secret via the native Web Crypto API
• Auto-detects whether a pasted key is JWK or PEM format
• Auto-detects UTF-8 vs Base64 encoding for HMAC secrets

This tool validates signed JWTs (JWS) with 3 parts. Encrypted JWTs (JWE) are not supported.

Supported Algorithms

This validator supports the following signing algorithms for signature verification:

• RS256, RS384, RS512 — RSA with SHA-256/384/512
• PS256, PS384, PS512 — RSA-PSS with SHA-256/384/512
• ES256, ES384, ES512 — ECDSA with P-256/384/521 curves
• HS256, HS384, HS512 — HMAC with SHA-256/384/512 (enter your shared secret to verify)

Need a secure HMAC secret? Try generating one with our Secure Password Generator.

References & Specifications

The following standards and resources are relevant to JWT validation, security, and token-based authentication:

• RFC 7519 — JSON Web Token (JWT) The core specification defining the JWT format, claims, and processing rules.
• RFC 7515 — JSON Web Signature (JWS) Defines how JWTs are signed and the structure of the signature.
• RFC 7517 — JSON Web Key (JWK) Specifies the format for representing cryptographic keys used to sign and verify JWTs.
• OWASP JWT Security Cheat Sheet Practical guidance on JWT vulnerabilities, common attacks, and secure implementation.