🎫

Verify JWT

Verify and decode a JWT token using a secret key or public key.

POST 1 credit /v1/auth/jwt-verify

curl -X POST "https://auth.toolkitapi.io/v1/auth/jwt-verify" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiJ9.abc123",
    "secret": "my-secret-key",
    "verify_exp": true
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/jwt-verify",
    json={
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiJ9.abc123",
    "secret": "my-secret-key",
    "verify_exp": true
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/jwt-verify", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiJ9.abc123",
    "secret": "my-secret-key",
    "verify_exp": true
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "valid": true,
  "payload": {"sub": "user_123", "role": "admin"},
  "header": {"alg": "HS256", "typ": "JWT"},
  "expired": false,
  "error": null
}

Try It Live

Description

Verify and decode a JWT token using a secret key or public key.

How to Use

1

1. Provide the `token` string to verify.

2

2. Set the `secret` to the signing key (HMAC secret) or PEM public key (RSA/EC).

3

3. Optionally set `verify_exp` to `false` to skip expiration checking.

4

4. Check the `valid` field in the response. If `true`, the `payload` contains the verified claims.

About This Tool

The Verify JWT endpoint validates a JWT token's signature and optionally checks its expiration. It returns the decoded payload if the token is valid, or a descriptive error if verification fails.

The endpoint auto-detects the algorithm from the token header, or you can restrict allowed algorithms with the `algorithms` parameter. This prevents algorithm confusion attacks where an attacker might try to verify an RS256 token using HS256 with the public key as the secret.

For expired tokens, the response still includes the decoded payload along with `expired: true`, so you can inspect claims even for tokens past their expiry.

Why Use This Tool

Authentication middleware — Verify incoming Bearer tokens in API requests
Token validation service — Centralized JWT verification for microservices
Debugging expired tokens — Inspect payload of expired tokens with `verify_exp: false`
Webhook token verification — Validate JWTs embedded in webhook payloads
Third-party token validation — Verify tokens issued by external identity providers

Frequently Asked Questions

What does it mean when valid is false but expired is true?

The signature is correct, but the token's `exp` claim is in the past. The payload is still returned so you can inspect the claims. You might use this to implement token refresh flows.

Should I restrict the algorithms parameter?

Yes, in production. Restricting `algorithms` prevents algorithm confusion attacks. For example, if you only issue HS256 tokens, set `algorithms: ["HS256"]` to reject any token claiming to use a different algorithm.

Can I verify tokens from Auth0, Firebase, or other providers?

Yes. Provide the provider's public key (usually available as a JWKS endpoint) and set the appropriate algorithm. You may need to convert JWKS to PEM format first.

What happens with a malformed token?

The endpoint returns `valid: false` with a descriptive `error` message explaining the decode failure.

Start using Verify JWT now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs