JWT Validator

What This Tool Does

• Decodes the header and payload of any signed JWT and displays them with syntax highlighting
• Inspects standard claims (exp, nbf, iat) and shows timestamps and validity status
• Displays all claims in the payload (both standard and custom) in a human-readable format
• Optionally verifies the cryptographic signature using a public key via the native Web Crypto API
• Auto-detects whether a pasted key is JWK or PEM format

This tool validates signed JWTs (JWS) with 3 parts. Encrypted JWTs (JWE) are not supported.

Supported Algorithms

This validator supports the following asymmetric signing algorithms for signature verification:

• RS256, RS384, RS512 — RSA with SHA-256/384/512
• PS256, PS384, PS512 — RSA-PSS with SHA-256/384/512
• ES256, ES384, ES512 — ECDSA with P-256/384/521 curves

HMAC algorithms (HS256, HS384, HS512) require shared secrets and cannot be verified with public keys.

References & Specifications

The following standards and resources are relevant to JWT validation, security, and token-based authentication:

• RFC 7519 — JSON Web Token (JWT) The core specification defining the JWT format, claims, and processing rules.
• RFC 7515 — JSON Web Signature (JWS) Defines how JWTs are signed and the structure of the signature.
• RFC 7517 — JSON Web Key (JWK) Specifies the format for representing cryptographic keys used to sign and verify JWTs.
• OWASP JWT Security Cheat Sheet Practical guidance on JWT vulnerabilities, common attacks, and secure implementation.
• NIST SP 800-63B — Digital Identity Guidelines Federal standards for authentication and identity management relevant to token-based auth.
• OpenID Connect Core 1.0 The specification for OIDC, which uses JWTs as its primary token format.