Skip to tool
All tools
FeuTex · free tools runs in-browser no bloat built by LiMiT

JWT Checker (GitHub)

Paste a JWT you found in a GitHub repo, issue, log, or config. This tool can auto-extract JWT-looking strings, decode header/payload, and (optionally) verify HMAC signatures (HS256/HS384/HS512) locally in your browser.

Category: Developer · URL: /tools/jwt-checker-github.html

Tip: If you paste a GitHub log or file, leave Mode on Auto-extract to find JWTs inside other text.

Input (JWT or GitHub snippet)
No network calls. Processing happens locally in your browser.
Options
For RS256/ES256 tokens (common with GitHub), you can still decode claims here, but signature verification needs the correct public key/JWK.
Output
Output is JSON for easy copy/paste into your workflow.
Related tools
JWT Checker (Decode & Verify HS256/HS384/HS512) JSON Tool Hash Tool Base64 Encode/Decode UUIDv5 Generator Cron Checker Quartz Cron Formatter Kubernetes YAML Generator
Privacy: runs locally in your browser. No uploads, no tracking scripts.

How to use

Use it in seconds:

  1. Paste a JWT or a GitHub snippet containing one into the input.
  2. Choose Auto-extract (find tokens in text) or Single JWT.
  3. (Optional) Enter an HMAC secret to verify HS256/HS384/HS512 signatures.
  4. Click Decode / Check to see decoded JSON + expiry info + signature status.

Note: GitHub App JWTs and GitHub Actions OIDC tokens are commonly RS256; this tool will still decode them, but can’t verify RS/ES signatures without the right public key/JWK.

Keywords this page targets (natural cluster): jwt checker github, github jwt checker, github jwt decoder, decode jwt from github, extract jwt from text, jwt token checker online, jwt header payload decode, verify jwt hs256 secret, hs384 jwt verifier, hs512 jwt verification, jwt exp checker, jwt iat nbf exp meaning, jwt invalid signature fix, github actions oidc jwt decode, github app jwt decode, jwt base64url decode, jwt alg none checker, check jwt kid claim, jwt token expiration time, paste github log jwt decode
Secondary intents covered: Extract JWTs from pasted GitHub file content or logs, Decode JWT header and payload into readable JSON, Check exp/iat/nbf timestamps and whether a token is expired, Verify an HS256/HS384/HS512 JWT signature using a shared secret, Identify why a JWT fails to parse (bad base64url/JSON/format), Inspect header fields like alg, typ, kid for troubleshooting, Avoid leaking tokens by omitting full token output when sharing results, Understand why GitHub-signed tokens (RS256) can’t be verified without keys

FAQ

Can this verify JWTs signed by GitHub (RS256)?

No—this page only verifies HMAC JWTs (HS256/HS384/HS512). GitHub-issued tokens are often RS256 and require the correct public key/JWK to verify.

What does “jwt checker github” usually mean?

Most people mean “I found a JWT in a GitHub repo/log—decode it and see claims like exp/iat/kid, and verify if it’s HMAC.”

Is my token sent to a server?

No. The tool runs locally in your browser and does not make network requests.

Why does signature verification say “not supported”?

That happens when the token uses RS*/ES* algorithms or the header is missing/invalid. You can still decode the header and payload.

How do I check if a JWT is expired?

Look at meta.exp_iso and meta.is_expired. The tool compares exp to your current time.

What does “invalid_candidates” mean in auto-extract mode?

It counts dot-separated strings that looked like JWTs but failed to decode into JSON header/payload.

Why should I keep “Include full token in output” off?

So you can share debugging output (claims, timestamps, alg) without accidentally leaking the full credential.