JWT Decoder
Inspect JWT header and payload JSON during integration work. Decoding does not verify signatures—your API must still validate tokens server-side.
Check exp and aud claims when debugging “token expired” or “invalid audience” errors.
Paste a JWT to decode header and payload. Signature is not verified.
How to use
- Paste your JWT (the full token:
header.payload.signature) into the input box. - The tool decodes the header and payload from base64url and shows them as JSON.
- exp and iat are shown in human-readable date format when present.
- Use Share URL to copy a link with your token in the query string (
?token=). - Use Copy all to copy the decoded header and payload as JSON. This tool does not verify the signature.
1JWTs carry claims, not guarantees
A JSON Web Token is two JSON objects (header and payload) plus a signature, each base64url-encoded and separated by dots; decoding reveals the JSON but does not prove it is trustworthy.
Libraries on your server must verify the signature with the correct key and validate standard claims like exp (expiry) and aud (audience) before trusting any payload field.
- Use this decoder to debug what an issuer actually put into a token during integration work.
- Never paste production tokens into public chats even if you “only” decode—tokens are often bearer credentials until they expire.
2Common fields you will see
iss identifies who minted the token; sub usually identifies the subject user or client; iat and exp bound the token lifetime.
Scopes or permissions sometimes live in a space-delimited scope string or custom arrays—your authorization layer must interpret them consistently.
3Security posture
Short-lived access tokens plus refresh tokens rotate exposure windows; logging the entire token is almost always a bad idea.
If you need to embed user info for purely client-side display, remember that clients can decode their own JWTs—never hide secrets inside the payload.
4OpenID Connect and OAuth2 tokens
ID tokens carry identity claims; access tokens authorize API calls. Both may be JWTs, but validation rules differ. Always verify issuer, audience, and signature with the identity provider’s JWKS endpoint.
5Debugging claim mismatches
“Invalid audience” often means the token was minted for a different API client. “Token expired” may be clock skew or confused seconds vs milliseconds in custom claims.
6Quick checklist for JWT debugging
Decode to inspect claims during integration only. Verify signature, exp, and aud on the server for every protected route.
- Never log full bearer tokens.
- Rotate keys on a documented schedule.
Examples
Sample header and payload (unsigned demo)
Illustrates structure only—always verify real tokens on the server.
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImV4cCI6MTcwMDAwMDAwMH0.xClaims to inspect
Look for exp, iat, aud, and scope when debugging authorization.
{
"sub": "user_123",
"aud": "api.example.com",
"exp": 1700000000
}