JWT Validator

Verify a JWT’s HS256 signature with your secret and check its expiry. Verified in your browser — nothing is uploaded.

📖 Read the guide: How to Verify a JWT →

Header

Payload

How it works

Paste the JWT

Drop the token you want to verify into the box.

Enter the secret

Provide the HMAC secret the token was signed with.

Verify

The signature is recomputed and compared; you get a clear valid/invalid result.

Check the claims

The header and payload are shown, and the expiry is checked.

Frequently Asked Questions

What does “valid” mean here?

That the HS256 signature matches your secret — i.e. the token is authentic and unmodified. It also flags an expired token separately.

Which algorithm is supported?

HS256 (HMAC-SHA256), the most common symmetric signing algorithm.

Is my token or secret uploaded?

No — verification runs in your browser with the Web Crypto API, so nothing is sent anywhere.

Verify a JSON Web Token (JWT) online for free. Paste a token and its HMAC secret to check the HS256 signature — confirming the token is authentic and hasn’t been tampered with — and see the decoded header and payload with an expiry check. Verification uses the browser’s Web Crypto API, so your token and secret never leave your device. Use it alongside the JWT decoder and generator for a complete JWT workflow.