ViewertViewert
Developer Utility

JWT Inspector

Decode, validate, inspect, and compose JSON Web Tokens — with full color-coding and best-practice analysis.

Everything runs in your browser. No tokens are sent to any server.

Paste your JWT
Header Payload Signature
..
Expired
3-part JWT structure
Algorithm: HS256

HMAC-SHA256 — symmetric, secret must stay server-side

typ header: JWT
Not expired (exp)

2024-03-10T16:00:00.000Z (737d ago)

Not-before (nbf) satisfied

nbf: 2024-03-09T16:00:00.000Z

Subject (sub) present
Issuer (iss) present
{
"alg": "HS256",
"typ": "JWT"
}
HMAC-SHA256 — symmetric, secret must stay server-side
subSubject

usr_01HX8JQYZ04VR2NN5GZVMPZWB

Principal this token refers to

issIssuer

https://viewert.com

Who issued this token

audAudience

viewert-api

Intended recipient(s)

iatIssued At

2024-03-09 16:00:00 UTC

738d ago

When token was issued

expExpiresexpired

2024-03-10 16:00:00 UTC

737d ago

Token expiry time

nbfNot Before

2024-03-09 16:00:00 UTC

738d ago

Token not valid before this time

jtiJWT ID

jwt_01HX8JQYZ04VR2NN5GZVMPZWb

Unique identifier for this token

role

pro

username

alice

email_verified

true

Raw JSON
{
"sub": "usr_01HX8JQYZ04VR2NN5GZVMPZWB",
"iss": "https://viewert.com",
"aud": "viewert-api",
"iat": 17100000002024-03-09 16:00:00 UTC(738d ago),
"exp": 17100864002024-03-10 16:00:00 UTC(737d ago),
"nbf": 17100000002024-03-09 16:00:00 UTC(738d ago),
"jti": "jwt_01HX8JQYZ04VR2NN5GZVMPZWb",
"role": "pro",
"username": "alice",
"email_verified": true
}
base64url-encoded signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This tool decodes the signature but cannot verify it without your secret/public key. Verification must happen server-side. Decoding ≠ verifying.

Verification pseudocode

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-secret
) === signature

viewert.com/jwt — All processing is client-side. Your tokens never leave your browser.