JWT Decoder & Validator
CodeUtils helps developers inspect authentication tokens with a fast, browser-based decoder. Paste a token to decode the header and payload, check expiration metadata, and validate HS256 signatures during debugging. All parsing and verification run client-side so sensitive token data stays in your browser.
Decoded Header
Decoded header JSON will appear here.
Decoded Payload
Decoded payload JSON will appear here.
What is a JWT?
JSON Web Tokens are compact bearer tokens used to move identity and authorization claims across services. A token contains three segments separated by periods: header.payload.signature. The header defines metadata such as algorithm and token type. The payload carries claims like user identity, audiences, permissions, and temporal fields. The signature protects integrity by proving the token was signed by a trusted issuer.
JWTs are especially common in modern distributed architectures where stateless APIs need fast authorization checks without server-side sessions for every request. API gateways, SPAs, mobile apps, and microservices often depend on JWT claims to determine whether the caller is authenticated and what operations they can perform. Because tokens are portable and compact, they work well across heterogeneous systems, but they also require careful handling to avoid trust and leakage issues.
The header and payload are Base64URL encoded, not encrypted, so anyone with the token can read them. This is why sensitive raw data should not be inserted directly into claims. Developers should treat JWT values as security artifacts, inspect them with controlled tooling, and always combine decoding with issuer, audience, and signature verification in production paths.
How JWT signature works
The signature segment is created from the first two segments joined with a period. For HS256, the server computes an HMAC using SHA-256 over header.payload and a shared secret. The result is then Base64URL encoded. During verification, you recalculate the signature with the same algorithm and secret, then compare that value to the token's third segment. If they match, integrity is preserved.
Signature verification confirms the token has not been tampered with after issuance. If any claim is edited, recomputed output will differ and verification fails. That protects trust boundaries between issuing and consuming services. However, verification alone is not enough; consumers should also enforce claim validation such as issuer, audience, expiration, not-before, and token purpose.
In real systems, algorithm selection matters. HS256 requires shared secret management across all services that verify tokens. Asymmetric algorithms like RS256 use key pairs and different trust flows. This tool focuses on HS256 verification so developers can quickly validate common local and staging scenarios before moving into full production key management and JWK-based validation.
When to verify JWT signature
Signature checks are critical whenever a token is used to authorize access, invoke privileged operations, or pass identity context to downstream services. Any backend route that trusts JWT claims should verify signatures before applying business logic. This prevents attackers from modifying payload values, escalating privileges, or extending expired sessions by editing token content.
Verification is also important during integration testing. If a service rejects a seemingly valid token, inspecting decoded claims and re-running signature validation can isolate whether the issue is algorithm mismatch, wrong shared secret, malformed Base64URL, or corrupted token transport. Teams often use this process to debug rollout problems across API gateways, authentication services, and edge middleware.
Even with valid signatures, tokens must still pass policy checks. Always verify exp, nbf, aud, and issuer constraints. A valid signature means the issuer signed the token; it does not guarantee the token is currently acceptable for your endpoint. Security-hardened implementations combine signature verification, claim validation, and contextual authorization rules.
Common JWT Errors Developers Face
- Token has fewer or more than three segments after splitting by periods.
- Header or payload segments are not valid Base64URL data.
- JSON parse fails due to malformed token content.
- Algorithm in header does not match expected verifier configuration.
- Signature mismatch caused by wrong HS256 secret key.
- Expired token due to stale credential or clock drift.
- Audience and issuer checks fail in multi-environment deployments.
FAQ
Does this tool send my token anywhere?
No. Decoding and HS256 verification run client-side in your browser.
Can this verify RS256 signatures?
No. This page verifies HS256 only and will show a warning for other algorithms.
Why is my signature invalid?
Common causes are incorrect secret key, token tampering, or algorithm mismatch.
What does token expired mean?
The exp timestamp is earlier than current time.
Should I trust decoded claims alone?
No. Always validate signature and enforce issuer/audience/time-based claim checks.