We use cookies to understand how DevToolsHub is used and to improve your experience. You can choose which types of cookies to allow.
Validate JWT tokens by verifying signatures and checking claims.
Loading...
Loading...
JWT Validationis the process of cryptographically verifying that a JSON Web Token (JWT) has not been tampered with since it was issued. Unlike simply decoding a JWT — which anyone can do because the header and payload are only base64url-encoded — validation requires the secret key (for HMAC algorithms like HS256, HS384, HS512) or public key (for RSA or ECDSA algorithms) that was used to sign the token. The validator re-computes the signature over the header and payload and compares it to the signature in the token. If they match, the token is authentic; if they don’t, the token has been modified or forged.
Validation goes beyond signature verification. A complete validation also checks the token’s claims — the statements encoded in the payload. The most critical claim checks are exp (expiration time), which ensures the token has not expired, and nbf (not before), which ensures the token is not being used before its intended valid-from time. Additional checks may include verifying the iss (issuer) and aud (audience) claims to ensure the token was issued by the expected party and is being used by the intended recipient.
DevToolsHub’s JWT Validator performs all of these checks in your browser using the Web Crypto API for real cryptographic signature verification. It supports the three HMAC algorithms defined in RFC 7519 — HS256, HS384, and HS512 — and provides clear, detailed feedback about each validation step so you know exactly what passed and what failed.
The signature is the cryptographic heart of JWT security. The validator takes the base64url-encoded header and payload (the “signing input”), computes the HMAC using the provided secret and the algorithm specified in the header, and compares the result to the token’s signature segment. If they match, the token has not been modified. If they differ, the token is either corrupted or has been tampered with by an attacker. This check uses the browser’s native Web Crypto API (crypto.subtle.verify) for real cryptographic verification — not a simplified reimplementation.
The exp claim specifies the Unix timestamp (in seconds) after which the token should no longer be accepted. The validator compares this to the current time and flags the token as expired if the current time is at or past the expiration value. Most APIs reject expired tokens, so this check helps you quickly identify tokens that need to be refreshed.
The nbf claim specifies the Unix timestamp before which the token should not be accepted. This is useful for tokens that are issued in advance but should only become valid at a specific time (for example, a token issued during a scheduled maintenance window that becomes valid when the window starts). The validator flags the token as not-yet-valid if the current time is before the nbf value.
The validator lets you restrict which algorithms are accepted. This is a critical security measure: without an allow-list, an attacker could potentially craft a token with a weaker algorithm (such as none) and bypass verification. By default, the tool accepts HS256, HS384, and HS512, but you can narrow the list to match your application’s expected algorithm.
iss), audience (aud), and any application-specific claims that matter for authorization.Loading...