JWT Claim Audit
Inspect auth headers and token data in your browser. No input is sent to a server. Use it for first-pass checks on expiry, claims, and schemes.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste JWT payload JSON and click Audit. Check timestamp claims and missing required claims.
Notes (this tool)
- This tool audits claim content only. Verify signature integrity separately with a verifier.
- Validation criteria for aud/iss/sub differ by service; always prioritize issuer specifications.
About this page
What does this tool do?
Checks presence of iss/aud/exp/nbf/iat/jti and catches common operational gaps early.
Useful as a pre-step before signature verification to review claim design quickly.
Recommendations (practical)
- exp and iss are generally required
- aud is important for multi-tenant/client
- Use nbf only if needed (watch clock skew)
Notes
- This tool audits claims only. Perform signature and key verification with JWT Verifier.
- exp/nbf/iat use NumericDate (Unix seconds). Millisecond values cause incorrect interpretation.
- aud can be string or array per spec; confirm against your implementation expectations.
Debugging workflow (recommended)
- Paste tokens or authentication headers
- Check claims, auth scheme, and expiration
- Verify signature, scopes, and issuer with related tools
Referenced specs
- RFC 7519 (JWT)
- RFC 8725 (JWT Best Current Practices)
FAQ
Which claims should be checked at minimum?
Prioritize exp, iss, and aud, then review nbf, iat, and jti as needed.
Do valid claims alone guarantee authentication success?
No. Final trust requires signature verification and key alignment checks.
References
Related tools
- JWT Decoder
- JWT Verifier
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- JWT Decoder — Decode and pretty-print JWT header/payload
- JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Verifier — Verify JWT signatures (HS/RS/ES)
Same-theme links
Auth
Trace auth failures across Bearer, WWW-Authenticate, and JWT
- OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Decoder — Decode and pretty-print JWT header/payload
- JWT Verifier — Verify JWT signatures (HS/RS/ES)