Validate and document a JWT
Decode a JWT, inspect claims and expiry, and verify HS256 signatures when you have the shared secret.
Step 1
Decode the token and inspect the header and claims
Paste the JWT into JWT Debugger to decode the header and payload locally in your browser. Check issuer, audience, subject, scopes, and any custom claims you need to explain to someone else.
Open JWT Debugger →Step 2
Check the expiry and timing claims
Review exp, nbf, and iat before you assume the token is still usable. A token that decodes cleanly can still be expired, not yet valid, or obviously issued for the wrong environment.
Review timing claims →Step 3
Verify HS256 only when you have the shared secret
If the token uses HS256 and you have the correct shared secret, use the debugger's verification support to confirm the signature. Record whether verification actually succeeded instead of only noting that the payload looked plausible.
Verify the signature →Step 4
Keep the decode-versus-verify distinction explicit
The JWT Debugger explains that decoding is not verification, and that distinction belongs in your notes or incident write-up. Treat the decoded claims as untrusted until the signature and relevant validation checks pass.
Read the debugger notes again →