DevToolsKit
How-To Guides
6 min read · March 21, 2026

How to Validate JWT Tokens — Developer Guide

JWT validation is essential for secure authentication. Whether you're debugging a login flow or inspecting token claims, this guide walks you through decoding, checking expiration, and understanding what validation actually means.

Decode vs Validate — Know the Difference

  • Decoding — reading the header and payload (Base64 decode). Anyone can do this.
  • Validating — verifying the signature + checking claims (exp, iss, aud). Requires the secret/public key.
Our JWT Decoder decodes tokens for development and debugging. It does NOT verify signatures. Always validate server-side in production.

Step 1: Decode the JWT

  1. Copy the JWT from Authorization header, cookie, or API response
  2. Paste into the JWT Decoder tool
  3. Review the header — check algorithm (alg) and token type
  4. Review the payload — inspect claims like sub, email, roles, exp

Decode JWT Token Free

Instantly view header, payload, and expiration status.

Open Tool

Step 2: Check Expiration

The exp claim is a Unix timestamp indicating when the token expires. Our decoder shows expiration in human-readable format with valid/expired status. If expired, the client needs to refresh the token or re-authenticate.

Convert JWT exp Timestamp

Convert Unix timestamps to readable dates.

Open Tool

Step 3: Verify Claims

  • Check iss (issuer) matches your authentication server
  • Check aud (audience) matches your application
  • Verify sub (subject) is the expected user ID
  • Inspect custom claims (roles, permissions) for authorization
  • Ensure token hasn't expired (exp > current time)

Step 4: Verify Signature (Server-Side)

Signature verification must happen on your server using the secret key (HS256) or public key (RS256). In Node.js, use jsonwebtoken library: jwt.verify(token, secret). Never expose your secret key to the client.

const jwt = require('jsonwebtoken');
try {
  const decoded = jwt.verify(token, process.env.JWT_SECRET);
  console.log('Valid token:', decoded);
} catch (err) {
  console.log('Invalid token:', err.message);
}

Related Free Tools

JWT Decoder

Decode JWT tokens to view header, payload, and expiration.

Open Tool

Unix Timestamp Converter

Convert between Unix timestamps and human-readable dates.

Open Tool

Frequently Asked Questions

Can I validate JWT without the secret key?+

You can decode and inspect claims without the key, but signature verification requires the secret (HS256) or public key (RS256).

What if my JWT is expired?+

Use a refresh token to get a new access token, or redirect the user to log in again. Never extend expiration client-side.

Related Articles

Educational
7 min read
What Is JWT? JSON Web Token Explained
Learn what JWT tokens are, how they work, JWT structure (header, payload, signature), and why developers use them for authentication.
Mar 16, 2026
Tool Guides
4 min read
Free JWT Decoder — Decode Tokens Instantly
Free online JWT decoder. View JWT header, payload, and expiration instantly. No signup, tokens never leave your browser. Best free JWT decoder for developers.
Mar 26, 2026
← Back to all articles