JWT Inspector & Verifier

Decode a JWT (header + payload) with syntax highlighting, diagnose standard claims, and verify the signature with HS*/RS*/PS*/ES*/EdDSA keys — plus a tampered-token forgery demo

Paste a compact JWT (JWS) and the tool will:

  1. base64url-decode the header and payload into readable, syntax-highlighted JSON.
  2. Run claim diagnostics on exp / nbf / iat / iss / aud / sub / jti, flagging expired, not-yet-valid, or missing claims.
  3. Verify the cryptographic signature against a shared secret (HS) or an asymmetric public key in PEM or JWK form (RS, PS, ES, EdDSA).
  4. Optionally re-sign a tampered payload with your key to demonstrate why a verifier MUST pin the expected alg and reject tokens that pass signature checks but were minted by the wrong party.

Security notes:

  • Verification happens server-side using Node crypto. The secret/key never leaves the request.
  • alg=none tokens are reported and never accepted as valid.
  • Always enforce the expected algorithm and issuer/audience on your own backend; this tool is for inspection and education.

Example Results

1 examples

Decode and verify a sample HS256 token

See the header, payload, claim diagnostics, and pass/fail signature check against a shared secret.

JWT decoded, claims diagnosed, signature verified against shared secret.
View input parameters
{ "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lZSIsImlhdCI6MTUxNjIzOTAyMn0.yo-bLjjeUhUPia17JiJbc2f1e0JXJIJAi4auivcB-IY", "mode": "verify", "secret": "demo-secret-2026", "publicKey": "", "forgePayload": "", "clockSkew": 0 }

Key Facts

Category
Security & Validation
Input Types
textarea, select, text, number
Output Type
html
Sample Coverage
4
API Ready
Yes

Overview

The JWT Inspector & Verifier allows you to decode JSON Web Tokens (JWT) into readable JSON, diagnose standard claims like expiration and issuer, and cryptographically verify signatures using shared secrets or asymmetric public keys.

When to Use

  • When debugging authentication issues and you need to inspect the header and payload claims of a JWT.
  • When verifying if a JWT signature is valid using a shared HS* secret or an asymmetric RS*/PS*/ES*/EdDSA public key.
  • When testing how your backend handles clock skew or simulated token forgery attempts.

How It Works

  • Paste your compact JWT token into the input field.
  • Select your verification mode: decode only, verify signature, or run a forgery demo.
  • Provide the shared secret for HS* algorithms, or the public key in PEM or JWK format for RS*, PS*, ES*, or EdDSA algorithms.
  • Review the syntax-highlighted JSON payload, claim diagnostics such as expiration status, and the signature verification result.

Use Cases

Inspecting JWT payload claims to debug user roles, permissions, or expiration times during development.
Validating token signatures generated by identity providers using their public JWK or PEM keys.
Simulating token tampering to verify that your application's signature validation logic is secure.

Examples

1. Verifying an HS256 API Token

Backend Developer
Background
A developer is building a Node.js API that uses HS256-signed JWTs for authentication and needs to verify if a generated token has a valid signature.
Problem
The developer needs to check if the token's signature matches the shared secret and inspect the claims.
How to Use
Paste the JWT token, select 'Verify signature' mode, and enter the shared secret in the designated field.
Example Config
Mode: Verify signature, Secret: demo-secret-2026
Outcome
The tool decodes the header and payload, runs claim diagnostics, and confirms the signature is valid.

2. Checking RS256 Token Claims and Public Key Signature

Security Engineer
Background
An engineer is auditing tokens issued by an external identity provider using RS256.
Problem
They need to verify the token signature against the provider's public PEM key and check for expired claims.
How to Use
Paste the RS256 token, select 'Verify signature', and paste the public key PEM block into the public key field.
Example Config
Mode: Verify signature, Public Key: -----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n-----END PUBLIC KEY-----
Outcome
The tool decodes the token, flags any expired claims, and verifies the cryptographic signature using the public key.

Try with Samples

json
JWT Samples
Comprehensive JWT examples from basic token structure to advanced security implementations
title token jwt
json
Terraform Plan JSON Samples
Sample Terraform plan JSON files exported from terraform show -json style payloads for dependency visualization and change review
matched family json
json
Hex/Unicode Encoding Format Samples
Examples of hex (\xXX) and unicode (\uXXXX) escape sequence encoding formats
matched family json
json
WebRTC Real-Time Communication Samples
Comprehensive WebRTC samples for peer-to-peer audio/video communication, data channels, screen sharing, and signaling server implementation
matched family json
json

Related Hubs

JSON Interchange and Format Translation Tools
Compare JSON conversion tools for CSV, YAML, TOML, GraphQL, XML, Markdown, Excel, BSON, EDN, and related structured formats in one hub.
JSON Inspection, Diff, and Transformation Tools
Compare JSON formatting, diffing, path inspection, schema validation, merging, transformation, and export tools in one hub for API and data workflows.
JSON Schema, Mock Data, and API Fixture Generators
Curated tools for JSON schema generation, mock payload building, and API fixture preparation in one hub.
JSON Formatting, Diff, and Normalization Tools
Compare JSON formatting, diffing, log review, config comparison, and data-normalization tools in one hub for readable and reviewable JSON workflows.

FAQ

Does this tool support asymmetric algorithms like RS256 or ES256?

Yes, you can verify signatures using RS*, PS*, ES*, and EdDSA algorithms by providing the public key in PEM or JWK format.

Are my secrets and keys safe when using this verifier?

Yes. Verification is performed server-side using Node crypto, and your keys or secrets are never stored or exposed.

How does the tool handle tokens with the none algorithm?

Tokens using the "none" algorithm are flagged as insecure and are never accepted as valid signatures.

What is the purpose of the forgery demo mode?

It demonstrates how tampering with a payload and re-signing it behaves, highlighting why backends must strictly enforce expected algorithms.

Can I account for system clock differences during claim diagnostics?

Yes, you can configure the reference clock skew in seconds to prevent false expiration flags due to minor time differences.

API Documentation

Request Endpoint

POST /en/api/tools/jwt-inspector-verifier

Request Parameters

Parameter Name Type Required Description
token textarea Yes -
mode select No -
secret text No -
publicKey textarea No -
forgePayload textarea No -
clockSkew number No -

Response Format

{
  "result": "
Processed HTML content
",
  "error": "Error message (optional)",
  "message": "Notification message (optional)",
  "metadata": {
    "key": "value"
  }
}
HTML: HTML

AI MCP Documentation

Add this tool to your MCP server configuration: 

{
  "mcpServers": {
    "elysiatools-jwt-inspector-verifier": {
      "name": "jwt-inspector-verifier",
      "description": "Decode a JWT (header + payload) with syntax highlighting, diagnose standard claims, and verify the signature with HS*/RS*/PS*/ES*/EdDSA keys — plus a tampered-token forgery demo",
      "baseUrl": "https://elysiatools.com/mcp/sse?toolId=jwt-inspector-verifier",
      "command": "",
      "args": [],
      "env": {},
      "isActive": true,
      "type": "sse"
    }
  }
}

You can chain multiple tools, e.g.: `https://elysiatools.com/mcp/sse?toolId=png-to-webp,jpg-to-webp,gif-to-webp`, max 20 tools.

If you encounter any issues, please contact us at [email protected]