Token Format Checker

Inspect auth headers and token data in your browser. No input is sent to a server. Use it for first-pass checks on expiry, claims, and schemes.

Input (token string)

Result

Status

Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.

How to use

Paste a token string and click Check. Review likely formats, then move to the next verifier based on your target spec.

This is heuristic detection. Confirm against both specification and implementation.
Different formats can look similar. Always prioritize issuer documentation.

Estimate candidate formats such as JWT/UUID/Hex/Base64URL and show length plus charset summary.

This is a first-pass classifier when you do not know what token you are looking at.

Detection is heuristic. Authenticity (signature verification) and semantic validity must be checked separately.
Even if a token looks like JWT, do not trust it without checking alg/signature/key ID (kid).
Base64URL check is charset-based; some contexts require additional padding/length validation.

Why can auth fail even if a token looks like JWT?

Format checks do not verify signatures. Authentication still requires key, alg, iss/aud, and expiry validation.

Does UUID format imply a secure token?

No. UUID is an identifier format; authorization scope, revocation, and leak controls must be designed separately.

These links are generated from site_map rules in recommended diagnostic order.

Password Policy Generator — Create policy text and validation regex from requirements
Cookie Security Audit — Audit Secure/HttpOnly/SameSite settings
URL Safe Random — Generate random strings using URL/filename-safe characters
Password Seed Generator — Derive reproducible passwords from seed and constraints