Token Format Checker
Analyze character set, length, and separators of unknown tokens in your browser to estimate candidate formats. Your input stays on your device.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste a token string and click Check. Review likely formats, then move to the next verifier based on your target spec.
Notes (this tool)
- This is heuristic detection. Confirm against both specification and implementation.
- Different formats can look similar. Always prioritize issuer documentation.
About this page
What does this tool do?
Estimate candidate formats such as JWT/UUID/Hex/Base64URL and show length plus charset summary.
This is a first-pass classifier when you do not know what token you are looking at.
What this tool does
- Detect JWT format
- Detect UUID/Hex/Base64URL
- Show length and character set
Notes
- Detection is heuristic. Authenticity (signature verification) and semantic validity must be checked separately.
- Even if a token looks like JWT, do not trust it without checking alg/signature/key ID (kid).
- Base64URL check is charset-based; some contexts require additional padding/length validation.
Debugging workflow (recommended)
- Paste tokens or authentication headers
- Check claims, auth scheme, and expiration
- Verify signature, scopes, and issuer with related tools
Referenced specs
- RFC 7519 (JWT)
- RFC 4648 (Base64 / Base64URL)
- RFC 9562 (UUID)
FAQ
Why can auth fail even if a token looks like JWT?
Format checks do not verify signatures. Authentication still requires key, alg, iss/aud, and expiry validation.
Does UUID format imply a secure token?
No. UUID is an identifier format; authorization scope, revocation, and leak controls must be designed separately.
References
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- htpasswd Generator — Generate username:hash lines for .htpasswd
- Password Policy Generator — Create policy text and validation regex from requirements
- Hash / HMAC Generator — Generate SHA-family hashes and HMAC values
- Cookie Security Audit — Audit Secure/HttpOnly/SameSite settings
- Random Password — Generate random passwords with length, charset, and exclusion options
- Password Seed Generator — Derive reproducible passwords from seed and constraints
- Random Token Generator — Generate random tokens with selectable byte size and encoding
- URL Safe Random — Generate random strings using URL/filename-safe characters
Same-theme links
Security Operations
Generate practical passwords, tokens, and operation checklists quickly
- Random Password — Generate random passwords with length, charset, and exclusion options
- Password Seed Generator — Derive reproducible passwords from seed and constraints
- Random Token Generator — Generate random tokens with selectable byte size and encoding
- URL Safe Random — Generate random strings using URL/filename-safe characters
- Password Policy Generator — Create policy text and validation regex from requirements
- .env Diff Checker — Compare .env added/removed/changed keys
- Hash / HMAC Generator — Generate SHA-family hashes and HMAC values
- htpasswd Generator — Generate username:hash lines for .htpasswd
- WordPress Salt Generator — Generate 8 wp-config.php secret key constants
- WP Security Checklist Builder — Generate security operation checklists for WordPress