JWT Validator

Paste a JWT to verify its signature and validate its claims. Verify HMAC signatures (HS256, HS384, HS512) against a secret you supply, check exp, nbf, and iat with human-readable times, and optionally match aud and iss. Everything runs client-side in your browser.

100% private. The token, secret, and verification all stay in your browser using the native Web Crypto API. Nothing is uploaded.

The JWT Validator verifies a JSON Web Token in your browser. Paste the token, enter the HMAC secret, and it checks the signature for HS256, HS384, and HS512 using the native Web Crypto API, then validates the standard claims: expiration (exp), not-before (nbf), and issued-at (iat), with human-readable timestamps. You can also supply an expected audience (aud) and issuer (iss) to confirm they match. The header and payload are decoded and shown so you can inspect every field. Nothing is uploaded; the secret never leaves your device.

What is a JWT validator?

A JWT validator does more than decode a token. Decoding just Base64URL-unpacks the header and payload so you can read them, but it tells you nothing about whether the token is genuine or still usable. Validating means cryptographically verifying the signature with the correct secret or key and checking the time-based claims so you know the token was issued by a trusted party, has not been tampered with, and has not expired. This tool verifies HMAC signatures and runs the full set of standard claim checks for you.

How to verify a JWT

Paste the token, provide the secret used to sign it, and optionally the audience and issuer you expect. The tool reports a clear valid or invalid signature result plus a pass or fail for each claim.

  1. Paste the full JWT in the token field.
  2. Enter the HMAC secret for HS256, HS384, or HS512 tokens.
  3. Optionally fill in the expected audience and issuer.
  4. Click Verify to check the signature and claims.
  5. Review the signature result, the per-claim checks, and the decoded header and payload.

Which algorithms are supported?

Signature verification covers the symmetric HMAC algorithms HS256, HS384, and HS512, which sign and verify with the same shared secret. For asymmetric algorithms such as RS256, ES256, or PS256, this tool still decodes the token and validates every claim, but it does not verify those signatures, because they require the matching public key and a different verification flow. The claim checks for expiration, not-before, issued-at, audience, and issuer apply to any token regardless of its algorithm.

Why use this JWT validator?

  • Verifies HS256, HS384, and HS512 signatures with the native Web Crypto API.
  • Clear VALID or INVALID signature result, not just a decode.
  • Checks exp, nbf, and iat with human-readable timestamps.
  • Optional audience (aud) and issuer (iss) matching.
  • Decodes and displays the header and payload for inspection.
  • Fully client-side: the token and secret never leave your browser.

Frequently asked questions

Is my token or secret sent to a server?

No. The token is decoded and its signature is verified entirely in your browser using the native Web Crypto API. Your secret, the token, and the verification result are never transmitted, stored, or logged. You can confirm this by watching your browser network tools while you verify a token.

How is this different from a JWT decoder?

A decoder only unpacks the header and payload so you can read them; it cannot tell you whether the token is authentic or still valid. This validator additionally verifies the HMAC signature against your secret and checks the time-based claims, so you learn whether the token was really signed with that secret and whether it has expired or is not yet valid.

Can it verify RS256 or ES256 tokens?

Signature verification here covers the HMAC family: HS256, HS384, and HS512. For RS256, ES256, PS256, and other asymmetric algorithms the token is still fully decoded and all of its claims are validated, but the signature itself is not checked, since that needs the matching public key and a separate verification path.

What claims does it check?

It validates exp (expiration), nbf (not-before), and iat (issued-at), showing each timestamp in a readable form and flagging tokens that are expired, not yet valid, or issued in the future. If you supply an expected audience or issuer, it also checks the aud and iss claims and reports whether they match.

Why does my valid token show an invalid signature?

The most common cause is the wrong secret: HMAC verification only succeeds when you enter the exact secret used to sign the token, byte for byte. Make sure there are no extra spaces, that the token has not been altered, and that its algorithm is one of HS256, HS384, or HS512. A single changed character in the token or the secret will correctly report an invalid signature.