JWT Decoder

JWT decoder guide

A JWT (JSON Web Token) is a token format commonly used for authentication and authorization flows. It is composed of dot-separated segments, and the header and payload are Base64URL-encoded JSON. During development, quickly reading those claims makes API debugging, session checks, and auth troubleshooting much easier.

Common use cases

• Inspect exp, iat, and aud values inside an access token after login
• Check what user or claims are embedded in a Bearer token during API debugging
• Compare issuer, audience, and scope values between frontend and backend expectations
• Understand why an auth flow fails by checking token expiration and timing claims

Claims you will see often

• `iss` identifies the token issuer.
• `sub` usually represents the subject, such as a user ID or resource ID.
• `aud` indicates which service or app the token is intended for.
• `exp`, `iat`, and `nbf` are time-based claims that frequently cause auth bugs when interpreted incorrectly.
• `jti` is a unique token identifier sometimes used for revocation or tracing.

Limitations of this tool

• It decodes token data but does not verify the signature or validate the issuer.
• Encrypted JWE tokens cannot be read like plain JWT/JWS tokens.
• Seeing a payload does not mean the token is trustworthy. Server-side validation is still required.

Practical security tips

• Avoid sharing production tokens. Use test or redacted samples whenever possible.
• Even if the client can read JWT claims, final authorization checks should still happen on the server.
• Do not rely on exp alone. Review issuer, audience, not-before checks, and signature validation together.