Token Workbench
Paste:header.payload.signature
JWT Validator
Decode token claims, calculate a practical risk score, and catch claim-level auth mistakes before they trigger production incidents.
Decoded Header
{}
Decoded Payload
{}
What Is a JWT Validator?
A JWT validator is a fast inspection tool that helps teams verify whether a JSON Web Token is structurally sound and claim-complete before deployment. JWTs are used in login flows, API gateways, service-to-service communication, internal tools, and automation bots. A single malformed claim can cause authorization failures, and those failures often appear only after merge or release. This validator helps you identify claim-level issues earlier, when fixes are cheap and risk is lower.
This page decodes the header and payload in the browser and evaluates practical claim checks, including expiration windows, not-before timing, issued-at drift, and issuer or audience presence. It gives developers, QA engineers, and incident responders one shared view so debugging does not depend on custom scripts every time a token issue appears.
Important boundary: decoding does not prove trust. A token can decode correctly and still be invalid if signature verification fails or if backend policy rejects issuer and audience. Use this validator for triage and diagnostics, then enforce final decisions server-side.
How to Calculate JWT Validation Risk Score
The risk score on this page is an operational indicator, not a cryptographic verdict. The workflow is straightforward. First, parse token structure and ensure three segments exist. Second, decode header and payload. Third, evaluate claim rules. The tool subtracts points for each warning or failure and surfaces a score from 0 to 100. A high score suggests fewer obvious claim issues, while a low score indicates missing or dangerous fields that need immediate review.
In practical terms, start with algorithm and expiration. Then check not-before and issued-at values to catch time drift between environments. Next, review issuer and audience because cross-service auth often fails there. Finally, inspect business claims such as role, tenant, and subject IDs according to your own policy contract.
Because this scoring model is deterministic, teams can use it in manual QA checklists and in release runbooks. It helps separate policy bugs from infrastructure bugs, especially when incidents include mixed symptoms across multiple services.
Worked Examples
Example 1: Expired token after successful login
Frontend login appears successful, but API calls fail instantly. Validator shows exp in the past due to a signer clock issue. Fixing server time sync resolves the outage without frontend changes.
Example 2: Missing audience in a multi-service environment
The token decodes normally, yet one downstream service returns 401. Payload lacks aud, so audience checks reject the token. Adding audience mapping in issuer config restores compatibility.
Example 3: Future issued-at in one region only
Bot traffic fails in one region but works elsewhere. Claims reveal iat ahead of local validator clock by several minutes. Regional NTP correction plus tolerance policy stabilizes auth behavior.
Frequently Asked Questions
Does this JWT validator verify cryptographic signatures?
No. This page checks structure and claims only. Signature verification must happen on your backend with your secret or public key.
Why can a decoded token still fail in production?
Because decoding only proves format. Signature mismatch, issuer mismatch, audience mismatch, revocation, or clock skew can still invalidate the token.
How should I interpret a low JWT risk score?
A low score means the token likely has missing or risky claims. Treat it as a triage signal and perform full backend policy checks before release.
Can I use this for access tokens and refresh tokens?
Yes. You can inspect both token types, but each provider uses different claim policies and lifetime expectations.
Which claims should I inspect first?
Start with exp, nbf, iat, iss, and aud. Then review business claims like role, tenant, and subject identifiers.