DevToolBoxGRATIS
Blogg

JWT Validator

Validate JWT token structure and check expiration. Verify header, payload, algorithm, and time-based claims without the secret key.

JWT Validation Reference

JWT Validation Checklist

#CheckWhat to verifyRequires Key?
1StructureToken has exactly 3 dot-separated partsNo
2Header JSONFirst part decodes to valid JSONNo
3Payload JSONSecond part decodes to valid JSONNo
4AlgorithmHeader contains "alg" fieldNo
5Expirationexp claim vs current timeNo
6Not Beforenbf claim vs current timeNo
7Issueriss matches expected issuerNo
8Audienceaud matches your appNo
9SignatureCryptographic signature verificationYes

Common JWT Errors

ErrorCauseFix
jwt expiredexp claim is in the pastRefresh the token or extend expiry
jwt malformedToken does not have 3 partsCheck token format and encoding
invalid signatureSignature does not matchVerify the signing key matches
jwt not activenbf claim is in the futureWait until the token becomes active
invalid algorithmalg does not match expectedEnsure consistent algorithm configuration
invalid audienceaud does not match your appCheck audience claim configuration

Validation vs Verification

JWT validation checks the token structure and claims (format, expiration, required fields). JWT verification confirms the signature using the secret key or public key, ensuring the token was not tampered with. This tool performs validation only — signature verification requires the server-side secret.

Frequently Asked Questions

Can you validate a JWT without the secret key?
You can validate the structure of a JWT without the secret key — checking that it has 3 parts, valid JSON in header and payload, required fields like "alg", and whether the exp claim indicates expiration. However, you cannot verify the signature without the secret key (for HMAC algorithms) or public key (for RSA/ECDSA algorithms). Signature verification confirms the token was not tampered with.
How do I check if a JWT is expired?
Look at the "exp" claim in the payload. It contains a Unix timestamp (seconds since epoch). Compare it with the current time: if the current Unix timestamp is greater than the exp value, the token has expired. Note that not all JWTs have an exp claim — some are designed to never expire. This validator automatically checks the exp claim for you.
What is the difference between JWT validation and JWT verification?
JWT validation checks the token format and structure: correct number of parts, valid Base64URL encoding, valid JSON, presence of required fields, and claim values (like expiration). JWT verification goes further by cryptographically checking the signature against the header, payload, and secret/public key. Validation can be done anywhere; verification requires the signing key.

Related JWT Tools

𝕏 Twitterin LinkedIn

Vurder dette verktøyet

4.4 / 5 · 89 vurderinger

More Tools

JWTJWT DecoderJDJWT Token DecoderJPJWT ParserJSON Validator

Recommended

CloudflareFree CDN & DDoS protection

Hold deg oppdatert

Få ukentlige dev-tips og nye verktøy.

Ingen spam. Avslutt når som helst.

Enjoy these free tools?

Buy Me a Coffee