OAuth Token Inspector
Inspect OAuth 2.0 access tokens and OpenID Connect ID tokens. Analyze scopes, issuer, audience, and claims.
Example JWT
Click to load a sample token for testing (HS256, no production secrets):
Why Trust JWTValidator.org
- 100% client-side β tokens and secrets never leave your browser
- No account required β free forever, no sign-up
- No data stored β we do not log, upload, or persist your tokens
- Open process β see our Privacy Policy and About page
β οΈ Avoid pasting production secrets or live credentials. Use test tokens during development.
About This Tool
Inspect OAuth 2.0 access tokens and OpenID Connect ID tokens. Analyze scopes, issuer, audience, and claims.
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe string defined by RFC 7519. It encodes claims as JSON and attaches a cryptographic signature so receivers can verify the token was issued by a trusted party and was not tampered with.
JWTs consist of three Base64URL-encoded parts separated by dots:
- Header β algorithm (
alg) and token type (typ) - Payload β claims such as
sub,iss,aud,exp - Signature β HMAC or asymmetric signature over header + payload
JWTs are used by OAuth 2.0, OpenID Connect, Auth0, Firebase, AWS Cognito, and most modern API authentication systems.
How JWT Validation Works
OAuth Token Inspector requires more than Base64 decoding. A secure verifier performs these steps on every request:
- Parse structure β confirm exactly three segments separated by dots
- Verify signature β HMAC with shared secret, or asymmetric verify with public key from JWKS
- Validate algorithm β reject unexpected
algvalues includingnone - Check time claims β
expnot past,nbfnot future, allow clock skew - Validate iss and aud β issuer and audience match your application configuration
Use JWT Validator for HMAC verification or JWKS Validator for RS256/ES256 with JWKS endpoints.
How to Use This Tool
- Copy a JWT from your application, API response, or browser dev tools
- Paste into the tool above and click the primary action button
- Review decoded output, validation result, or error message
- Use Copy buttons to export results for documentation or support tickets
Example Use Cases
- Debug 401 Unauthorized errors from REST APIs
- Inspect OAuth access tokens and OpenID Connect ID tokens
- Verify token expiration before implementing refresh logic
- Learn JWT structure during onboarding or security reviews
Common JWT Errors
developers encounter these errors frequently:
- Token expired β
expclaim is in the past - Invalid signature β wrong secret, key, or algorithm
- Malformed JWT β not three valid Base64URL segments
- Algorithm not allowed β alg confusion or none attack attempt
Browse the full JWT Error Directory for fixes with step-by-step instructions.
Best Practices for JWT Security
- Never trust decoded payload without signature verification
- Use short-lived access tokens (5β15 minutes) with refresh rotation
- Whitelist allowed algorithms β never accept
alg: none - Store tokens in httpOnly cookies, not localStorage (XSS risk)
- Use RS256/ES256 for public APIs; protect HMAC secrets with 256+ bit random keys
- Validate
exp,iss,aud, andsubon every request - Never log full bearer tokens in application logs
Read our JWT Security Best Practices article and explore the Security Hub.
Explore JWT Guides, Blog, and Learning Path for deeper tutorials.
FAQ
What's the difference between access and ID tokens?
Access tokens authorize API access; ID tokens authenticate the user (OpenID Connect).