What is a JWT (JSON Web Token)?

A JWT is a compact token format used for authentication and authorization. It typically contains three dot-separated parts: header, payload (claims), and signature.

How do I decode a JWT token to debug 401 errors?

Decode the token and check exp (expired), nbf (not active yet), iss (issuer mismatch), aud (audience mismatch), and whether required claims are missing. These are common causes of 401.

How do I debug 403 Forbidden with a JWT?

403 usually means the token is valid but lacks permissions. Inspect scope/scp, roles, permissions, and custom authorization claims to see why access was denied.

Does this JWT decoder verify the signature?

No. This tool decodes and displays the header/payload only. Signature verification must be done server-side using the correct secret/public key and a strict allowlist of algorithms.

What do exp, iat, and nbf mean in a JWT?

exp is expiration time, iat is issued-at time, and nbf is not-before time. They’re usually Unix timestamps that define when a token is valid.

What are iss and aud and why do they matter?

iss (issuer) identifies who issued the token; aud (audience) identifies who the token is intended for. Backends commonly reject tokens when iss/aud don’t match expected values.

What’s the difference between an OAuth2 access token and an OIDC ID token?

Access tokens are for API authorization (often include scopes/permissions). ID tokens represent user identity for the client app (often include profile claims like email/name).

Is it safe to paste a production JWT into an online decoder?

This decoder runs locally in your browser and doesn’t send tokens to a server. Still, treat JWTs as sensitive: don’t share real tokens in screenshots or public tickets.

Why is 'alg: none' considered dangerous?

'none' means no signature. If a backend mistakenly accepts it, attackers can forge tokens. Always restrict allowed algorithms during verification.

Why does my token fail to decode or look corrupted?

Common causes: the token isn’t three segments, whitespace/newlines were inserted, it’s an opaque token (not JWT), or it’s a JWE (encrypted token with five segments).

JWT Decoder

Decode JWT tokens locally to inspect header + payload claims (exp/nbf/iat, iss/aud, scopes/roles) and debug OAuth2/OIDC authentication issues.

JWT Token

Input

Decoded JWT

Output

What is JWT Decoder?

JWT Decoder & Claims Inspector is a developer tool for decoding JSON Web Tokens (JWT/JWS) used in OAuth2, OpenID Connect (OIDC), SSO, and API authentication. Paste a token and instantly view the decoded header and payload as readable JSON, including important claims like exp (expiration), nbf (not before), iat (issued at), iss (issuer), aud (audience), sub (subject), jti (token id), scope/scp, roles, permissions, and custom app claims. This is ideal for debugging 401/403 errors, validating that your identity provider (Auth0/Okta/Cognito/Keycloak/etc.) is issuing the expected claims, and catching risky headers such as unexpected alg values. Decoding happens locally with Base64URL parsing—no network calls, no storage, and no token logging.

How to Use

Copy the full token from your Authorization header (Bearer …), cookie, localStorage, or API response

Paste the JWT into the input field (format: header.payload.signature)

Click "Decode JWT" (or decode automatically) to view header + payload as JSON

Check exp/nbf/iat to confirm the token is currently valid (clock skew can matter)

Verify iss (issuer) and aud (audience) match what your backend expects

Inspect scope/scp/roles/permissions claims to understand authorization decisions

Confirm typ/kid/alg in the header to ensure your verification settings match

Copy decoded JSON when debugging (avoid sharing real production tokens publicly)

Common Use Cases

Fix 401 Unauthorized: Confirm exp is not expired and nbf is not in the future

Fix 403 Forbidden: Inspect scopes/roles/permissions claims vs your RBAC rules

Debug OAuth2/OIDC issues: Verify iss/aud, client_id/azp, nonce, and identity claims

Troubleshoot API gateways: Compare claims at the edge vs downstream services

Validate SSO integrations: Ensure your IdP includes the claims your app requires

Check token type: Distinguish access tokens vs ID tokens by typical claim patterns

Detect suspicious headers: Spot alg=none, unexpected typ, missing kid, or weird structures

Explain auth bugs in PRs/tickets: Copy readable claim JSON instead of raw tokens

Key Features

Instant Base64URL decoding of JWT header + payload

Readable JSON output (great for debugging and documentation)

Highlights validation-critical claims

exp, nbf, iat, iss, aud, sub, jti

Works for OAuth2 access tokens and OIDC ID tokens (claim inspection)

Helps triage 401 vs 403 quickly by inspecting validity vs permissions

Local-only processing

no network calls, no uploads, privacy-first

Copy-friendly output for bug reports (sanitize sensitive claims first)

Handles common real-world claim shapes

scope/scp arrays/strings, roles, permissions

Learn more about this tool with our in-depth guides

Jan 5, 2025•10 min read

How to Decode JWT Tokens: A Complete Guide

Learn how to decode and validate JWT tokens. Understand JWT structure, security best practices, and common use cases.

#jwt #authentication #security+2

Quick Examples

Try these to get started

Decode a JWT with basic identity claims

Inspect sub, name, and iat to understand what the token represents.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Check expiration window (exp/nbf/iat)

Confirm whether the token is valid right now (watch for exp and nbf).

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImlhdCI6MTcwMDAwMDAwMCwibmJmIjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDM2MDB9.signature

OAuth2 access token with scopes (scope string)

Inspect iss/aud and scope when debugging 401/403 authorization issues.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJhdWQiOiJodHRwczovL2FwaS5leGFtcGxlLmNvbSIsInN1YiI6InVzZXJfMTIzIiwic2NvcGUiOiJyZWFkOnVzZXJzIHdyaXRlOnVzZXJzIiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDM2MDB9.signature

OAuth2 token with roles array (RBAC debugging)

Verify roles/permissions claims vs your RBAC rules when access is denied.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI0MjEiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJyb2xlcyI6WyJ1c2VyIiwiYWRtaW4iXSwicGVybWlzc2lvbnMiOlsicmVhZDpyZXBvcnRzIiwid3JpdGU6dXNlcnMiXSwiZXhwIjoxNzM2MjA4MDAwfQ.signature

Validate issuer and audience (common OIDC misconfiguration)

Confirm iss/aud match your backend’s expected issuer and audience values.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2lkcC5leGFtcGxlLmNvbS8iLCJhdWQiOiJteS1hcGktYXVkaWVuY2UiLCJzdWIiOiJ1c2VyXzEyMyIsImV4cCI6MTczNjIwODAwMH0.signature

Spot algorithm/header issues (kid/alg/typ)

Use header fields (alg/kid/typ) to debug signature verification configuration.

eyJhbGciOiJSUzI1NiIsImtpZCI6IjIwMjYtMDEta2V5LTEiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJ1c2VyXzEyMyIsImF1ZCI6ImFwaSIsImlzcyI6Imh0dHBzOi8vYXV0aC5leGFtcGxlLmNvbSIsImV4cCI6MTczNjIwODAwMH0.signature

Risky header example (alg: none) — for learning only

Inspect alg=none in the header (never accept 'none' during verification in production).

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhdHRhY2tlciIsImFkbWluIjp0cnVlfQ.

OIDC ID token payload (profile claims)

Verify identity fields like email/email_verified/name when debugging login flows.

eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwiZW1haWwiOiJ1c2VyQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJKb2huIERvZSIsInBpY3R1cmUiOiJodHRwczovL2V4YW1wbGUuY29tL3Bob3RvLmpwZyJ9.signature

JWE hint: token that won’t decode like a JWT (5 parts)

If the token has 5 dot-separated parts, it may be a JWE (encrypted). Decoding claims requires decryption keys, not just Base64URL parsing.

eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.eyJraWQiOiJrZXkxIn0.ZXhhbXBsZQ.encryptedPayload.tag

Common Questions

Find answers quickly

Related Tools

You might also need

Base64 Encoder / Decoder

Encode to Base64 or decode Base64 to text — supports Base64URL (JWT), UTF-8/Latin1, padding toggle, and auto-detect.

JSON Formatter & Validator

Format, validate, beautify, and minify JSON — instantly detect errors and debug API payloads safely in your browser.

URL Encoder & Decoder

Encode or decode URL strings and query parameters using percent-encoding (UTF-8)

Hash Generator

Generate MD5, SHA-256, SHA-384, and SHA-512 hashes from text for checksums, integrity checks, and fingerprints

UUID Generator

Generate random UUID v4 values for databases, APIs, request tracing, and distributed systems

Password Generator

Generate strong random passwords with custom length, symbols, numbers, and mixed-case options — built for secure account creation

What is JWT Decoder?

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJhdWQiOiJodHRwczovL2FwaS5leGFtcGxlLmNvbSIsInN1YiI6InVzZXJfMTIzIiwic2NvcGUiOiJyZWFkOnVzZXJzIHdyaXRlOnVzZXJzIiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDM2MDB9.signature

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI0MjEiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJyb2xlcyI6WyJ1c2VyIiwiYWRtaW4iXSwicGVybWlzc2lvbnMiOlsicmVhZDpyZXBvcnRzIiwid3JpdGU6dXNlcnMiXSwiZXhwIjoxNzM2MjA4MDAwfQ.signature

JWT Decoder

What is JWT Decoder?

How to Use

Common Use Cases

Key Features

Highlights validation-critical claims

Local-only processing

Handles common real-world claim shapes

Related Articles

How to Decode JWT Tokens: A Complete Guide

Quick Examples

Decode a JWT with basic identity claims

Check expiration window (exp/nbf/iat)

OAuth2 access token with scopes (scope string)

OAuth2 token with roles array (RBAC debugging)

Validate issuer and audience (common OIDC misconfiguration)

Spot algorithm/header issues (kid/alg/typ)

Risky header example (alg: none) — for learning only

OIDC ID token payload (profile claims)

JWE hint: token that won’t decode like a JWT (5 parts)

Common Questions

What is a JWT (JSON Web Token)?

What is a JWT (JSON Web Token)?

How do I decode a JWT token to debug 401 errors?

How do I decode a JWT token to debug 401 errors?

How do I debug 403 Forbidden with a JWT?

How do I debug 403 Forbidden with a JWT?

Does this JWT decoder verify the signature?

Does this JWT decoder verify the signature?

What do exp, iat, and nbf mean in a JWT?

What do exp, iat, and nbf mean in a JWT?

What are iss and aud and why do they matter?

What are iss and aud and why do they matter?

What’s the difference between an OAuth2 access token and an OIDC ID token?

What’s the difference between an OAuth2 access token and an OIDC ID token?

Is it safe to paste a production JWT into an online decoder?

Is it safe to paste a production JWT into an online decoder?

Why is 'alg: none' considered dangerous?

Why is 'alg: none' considered dangerous?

Why does my token fail to decode or look corrupted?

Why does my token fail to decode or look corrupted?

Related Tools

Base64 Encoder / Decoder

JSON Formatter & Validator

URL Encoder & Decoder

Hash Generator

UUID Generator

Password Generator

JWT Decoder

What is JWT Decoder?

How to Use

Common Use Cases

Key Features

Highlights validation-critical claims

Local-only processing

Handles common real-world claim shapes

Related Articles

How to Decode JWT Tokens: A Complete Guide

Quick Examples

Decode a JWT with basic identity claims

Check expiration window (exp/nbf/iat)

OAuth2 access token with scopes (scope string)

OAuth2 token with roles array (RBAC debugging)

Validate issuer and audience (common OIDC misconfiguration)

Spot algorithm/header issues (kid/alg/typ)

Risky header example (alg: none) — for learning only

OIDC ID token payload (profile claims)

JWE hint: token that won’t decode like a JWT (5 parts)

Common Questions

What is a JWT (JSON Web Token)?

What is a JWT (JSON Web Token)?

How do I decode a JWT token to debug 401 errors?

How do I decode a JWT token to debug 401 errors?

How do I debug 403 Forbidden with a JWT?

How do I debug 403 Forbidden with a JWT?

Does this JWT decoder verify the signature?

Does this JWT decoder verify the signature?

What do exp, iat, and nbf mean in a JWT?

What do exp, iat, and nbf mean in a JWT?

What are iss and aud and why do they matter?