Skip to tool
All tools
FeuTex · free tools runs in-browser no bloat built by LiMiT

JWT Online Checker

Paste a JWT to decode the header and payload, check common time claims (exp/nbf/iat), and optionally verify the signature for HS256/HS384/HS512 using a shared secret. Everything runs client-side (no uploads, no requests).

Category: Developer · URL: /tools/jwt-online-checker.html
JWT Online Checker (client-side). Signature verification supports HS256/HS384/HS512 only.
Tip: For RSA/ECDSA tokens (RS*/ES*), this tool will decode and validate claims but won’t verify the signature without a public key workflow.
Privacy: runs locally in your browser. No uploads, no tracking scripts.

How to use

Use this to quickly inspect and sanity-check JWTs.

  1. Paste the JWT into the token box.
  2. (Optional) Enter a shared secret to verify HS256/HS384/HS512 signatures.
  3. Click Check JWT to decode and run checks.
  4. Copy the output JSON if you need to share findings.
Keywords this page targets (natural cluster): jwt online checker, jwt decoder online, decode jwt header payload, jwt signature verification, verify jwt hs256, hs512 jwt verify, jwt expiration checker, check jwt exp claim, jwt nbf iat checker, jwt validator tool, jwt token debug, jwt base64url decode, jwt header alg checker, jwt kid header viewer, jwt malformed token check, jwt none algorithm check, jwt hmac secret verify, jwt parse token online, jwt claims inspector, jwt signature invalid troubleshooting
Secondary intents covered: Decode a JWT into readable header and payload JSON, Verify an HS256/HS384/HS512 signature using a shared secret, Check whether a token is expired or not active yet (exp/nbf), Inspect header fields like alg, typ, kid, Troubleshoot a malformed JWT (wrong parts/base64/json), Confirm whether alg=none is being used, Compare provided vs computed signature for HMAC tokens, Quickly copy the decoded output for debugging or tickets, Validate timestamps against the current local time

FAQ

Does this JWT checker send my token to a server?

No. Decoding and checks run in your browser and this tool does not make network requests.

Can it verify RS256/ES256 signatures?

Not in this version. It can decode and validate claims, but signature verification is only implemented for HS256/HS384/HS512 with a shared secret.

What does “UNVERIFIED” mean?

The token uses HS* but you did not provide a secret, so the tool can’t confirm if the signature matches.

How is expiration checked?

The tool compares exp (seconds since epoch) against your current local time; it marks the token expired when now >= exp.

Why does my token show as malformed?

JWTs must be 2–3 dot-separated parts and each part must be valid base64url; header and payload must decode to JSON.

What is alg=none and is it safe?

alg=none means there is no signature. It should only be used in tightly controlled scenarios, otherwise it’s usually a security risk.

What secret should I use for HS256 verification?

Use the exact shared secret your issuer uses to sign tokens (often an environment variable). A different secret will always produce an invalid signature.