JWT Claims Diff

Decode two JSON Web Tokens and see exactly which claims were added, removed or changed between them — including human-readable expiry deltas. Runs entirely in your browser; no token is uploaded and no signature is verified.

Try:
Claims diff report (JSON)

About this tool

JWT Claims Diff decodes two compact JSON Web Tokens locally and compares the claims in their payloads. It shows which top-level claims were added, removed, or changed, how many stayed the same, and whether the tokens are claim-equivalent.

No verification key is requested and signatures are not verified. This tool is for offline inspection and comparison only; use a JWT verification tool when you need to prove a token is authentic.

Worked example

Comparing an old token with role: "user" and scope: ["read"] to a new token with role: "admin", scope: ["read", "write"], and a new plan claim returns an excerpt like:

{
  "equal": false,
  "summary": { "added": 1, "removed": 0, "changed": 3, "unchanged": 3 },
  "payload": [
    { "claim": "role", "kind": "changed", "old": "user", "new": "admin" },
    { "claim": "scope", "kind": "changed", "old": ["read"], "new": ["read", "write"] },
    { "claim": "plan", "kind": "added", "new": "pro" }
  ]
}

Limits & edge cases

FAQ

Does this verify the JWT signature?

No. It deliberately decodes without a verification key and compares the decoded JSON. Use it to understand what changed between two tokens, not to decide whether either token should be trusted.

Can it compare the token header as well as the payload?

Yes. Leave “Also diff the JOSE header” enabled to include header parameters such as alg, typ, and kid. Turn it off when you only care about payload claims.

How are expiration changes reported?

When both payloads include numeric exp values, the report includes each expiry as UTC plus delta_seconds, so you can quickly see whether the second token expires earlier, later, or at the same time.

Does it recursively diff nested claim objects?

No. Top-level claims are the unit of comparison. If a nested object or array changes, that whole claim is marked as changed and both values are shown.

Developer & Automation Access

Run it from the terminal

Same engine as this page, headless — via the gizza CLI:

gizza tool jwt-claims-diff "Paste the old compact JWT (header.payload.signature)…" 'right=Paste the new compact JWT to compare…'

New to the CLI? Get gizza →

Open it by URL

Pre-fill and auto-run this tool with query parameters — the names match the API/CLI:

https://gizza.ai/tools/jwt-claims-diff/?left=Paste%20the%20old%20compact%20JWT%20%28header.payload.signature%29%E2%80%A6&right=Paste%20the%20new%20compact%20JWT%20to%20compare%E2%80%A6&include_header=true&indent=2

Machine-readable descriptor: tool.json — title + parameters JSON Schema for agents.