Skip to tool
All tools
FeuTex · free tools runs in-browser no bloat built by LiMiT

JWT Checker

Paste a JWT to decode its header and payload, spot common issues (format, base64, JSON), and optionally verify HMAC signatures (HS256/HS384/HS512) using your shared secret. Runs locally in your browser (no requests sent).

Category: Developer · URL: /tools/jwt-checker.html
JWT
Paste a token like header.payload.signature
Secret (optional, for HS256/HS384/HS512)
This tool can verify HMAC JWTs. For RS256/ES256, it will decode but not verify.
Options
No network calls. Runs locally.

Output
Decoded header/payload + signature status
{}
Related tools
Base64 Encode/Decode · JSON Tool · Hash Tool · UUIDv5 Generator · Cron Checker
Privacy: runs locally in your browser. No uploads, no tracking scripts.

How to use

Use this checker to quickly inspect what a JWT contains and whether it’s valid for the current time.

  1. Paste the full token (header.payload.signature) into the JWT field.
  2. (Optional) Enter the shared secret if the token uses HS256, HS384, or HS512.
  3. Click Decode / Verify to view header/payload and signature status.
  4. Review claim times (exp/nbf/iat) and any warnings.
Keywords this page targets (natural cluster): jwt checker, jwt token checker, jwt decoder, decode jwt, jwt header payload decode, jwt verify signature, verify hs256 jwt, verify hs512 jwt, jwt expiration check, jwt exp to date, jwt nbf check, jwt iat check, jwt format validator, base64url decode jwt, jwt alg none check, jwt tampered signature, hmac jwt verifier, jwt debugging tool, inspect jwt claims, jwt validation online, jwt signature mismatch, jwt bearer token decode
Secondary intents covered: Decode JWT header and payload into readable JSON, Validate that a JWT has 3 parts and valid base64url/JSON, Verify HS256/HS384/HS512 signatures using a shared secret, Check expiration (exp) and not-before (nbf) against current time, Convert iat/nbf/exp epoch seconds into human-readable dates, Detect insecure/unsigned tokens (alg: none), Compare provided vs computed signature for debugging, Copy decoded output for logs or bug reports

FAQ

Does this JWT checker verify signatures?

It verifies HMAC tokens (HS256/HS384/HS512) if you provide the secret. For RSA/EC algorithms (e.g., RS256/ES256), it decodes but does not verify.

Is my token sent to a server?

No. The tool runs locally in your browser and does not make network requests.

Why does it say “Decoded (secret missing)”?

The token uses an HMAC algorithm, but no secret was entered, so the signature can’t be checked.

What does alg=none mean?

It means the token is unsigned. This is usually insecure unless your system explicitly allows it.

How are exp/nbf/iat interpreted?

They are treated as epoch seconds per JWT conventions and displayed in UTC and local time.

Why does signature verification fail even with the right secret?

Common causes are a different secret than the issuer used, token modification, or mismatched algorithm (e.g., HS256 vs HS512).

Can I use this to validate authorization headers (Bearer tokens)?

Yes—paste only the JWT part (without the Bearer prefix) to decode and verify.