JWTs can grant access to accounts and APIs. Do not paste live production tokens, refresh tokens, private customer data, or confidential claims into public tools.
Decode JWTs for inspection, not trust
A JWT decoder helps you read the header and payload while debugging authentication, API permissions, expired sessions, and claim mapping. But a decoded token can be forged. Treat every visible claim as untrusted until your backend verifies the signature and validation rules.
Header
Check alg, typ, kid, and signing-key hints before debugging verification failures.
Payload
Inspect subject, issuer, audience, scopes, roles, tenant IDs, and application-specific claims.
Time claims
Compare exp, nbf, and iat with your server clock when sessions expire unexpectedly.
Security boundary
Decoding is readable inspection. Verification is a trust decision made with keys and rules.
A safe JWT debugging workflow
1. Use a sample or redacted token
Prefer a test token, expired token, or payload with sensitive values removed.
2. Decode the header and payload
Check whether the token contains the claims your app expects before testing API calls.
3. Inspect expiration and audience
Many auth bugs come from wrong audience, stale issuer config, expired tokens, or clock skew.
4. Verify on the server
Only trusted backend validation can confirm signature, issuer, audience, lifetime, and policy checks.
Decode a JWT locally in your browser
Use the JWT decoder to inspect header, payload, signature text, and common claims while keeping verification rules separate.
Open JWT decoder常见问题
Does decoding a JWT verify it?
No. Decoding only reveals the Base64URL header and payload. A server must verify the signature, issuer, audience, expiration, and policy rules before trusting claims.
What JWT claims should I inspect first?
Start with alg, typ, sub, iss, aud, exp, nbf, iat, scope, role, tenant, and any custom claims your application depends on.
Is it safe to paste a production JWT into an online decoder?
Avoid pasting live access tokens into any public tool. Use sample tokens, expired tokens, or redacted payloads whenever possible.