JWT Decoder & Inspector: What You're Looking At
This page adds the deeper context behind the tool: what a JWT decoder does, what it cannot do, and what usually goes wrong when you're staring at a token in the middle of an auth incident.
What is a JWT decoder?
A JWT decoder takes a JSON Web Token and turns the encoded header and payload back into readable JSON. Most JWTs are three dot-separated strings: header, payload, and signature. The first two segments are Base64URL-encoded JSON documents, so decoding them is just a matter of splitting the token and reversing that encoding.
That makes a JWT decoder a debugging tool, not a trust mechanism. It helps you inspect claims, compare environments, and understand why an auth flow is failing. It does not prove the token was signed correctly or should be accepted by your service. If a token says "admin":true, decoding tells you the claim exists; verification tells you whether it should be believed.
For day-to-day development, a browser-based JWT decoder online tool is often the fastest path. Paste the token, click Decode Token, inspect the claim set, copy the parsed JSON, move on. When the tool runs locally in the browser, you also avoid sending potentially sensitive token contents to someone else's backend. If you edit the token after decoding, the previous result clears until you decode the new value.
How to use this tool
- Paste the full JWT into the input, including all three dot-separated segments.
- Read the decoded header first to check
alg,typ, and optionallykid. - Inspect the payload claims such as
iss,sub,aud,scope,iat,nbf, andexp. - Compare timestamps and claim values against the service that's accepting or rejecting the token.
- If the token still fails, move from decoding to full signature verification with the correct key material.
Common use cases
- Debugging a
401or403to see whether the token is expired, early, or missing required scopes - Inspecting OpenID Connect ID tokens to confirm issuer, audience, nonce, and subject values
- Comparing staging and production tokens when an identity provider is configured differently per environment
- Checking whether a custom claim like
tenant_id,roles, orpermissionswas actually minted - Confirming which signing algorithm and key ID an auth provider is advertising in the token header
- Quickly reviewing webhook bearer tokens or service-to-service tokens during incident response
JWT structure: header, payload, signature
JWT stands for JSON Web Token. In compact serialization, it looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3MTI1OTIwMDB9.signature
Each segment has a different purpose:
- Header - metadata such as signing algorithm (
alg), token type (typ), and sometimes key ID (kid) - Payload - claims about the subject, issuer, audience, time window, or app-specific authorization data
- Signature - a cryptographic signature over the first two segments that lets a verifier detect tampering
The header and payload are easy to decode because they are just JSON underneath. The signature is different: it is not meant to be human-readable. You can inspect it as bytes or text, but that is rarely useful without verifying it against the correct secret or public key.
Standard claims worth checking first
When a token fails in production, these are usually the first fields to inspect:
| Claim | Meaning | Why it breaks things |
|---|---|---|
iss |
Issuer | Wrong auth server, wrong environment, typo in expected issuer |
sub |
Subject | Unexpected user or client identity |
aud |
Audience | Token minted for one service but sent to another |
exp |
Expiration time | Token has expired |
nbf |
Not before | Token is being used too early |
iat |
Issued at | Helps explain clock skew and token freshness |
jti |
Token ID | Useful for tracing or replay protection |
Custom claims matter just as much in real systems. For example, if your gateway expects scope: "read:users" and the token only contains scope: "profile", the auth failure is not mysterious anymore.
Base64URL vs Base64
JWTs do not use plain Base64. They use Base64URL, a URL-safe variant defined in RFC 4648. The differences are small but important:
+becomes-/becomes_- Padding with
=is often omitted
That is why code like atob(token.split('.')[1]) sometimes works and sometimes blows up. If the segment length is not a multiple of 4 or it contains URL-safe characters, a naive decoder can fail. A proper JWT decoder normalizes the segment first, restores padding if needed, and then decodes the JSON.
If you ever need to handle it manually, the rough transformation is:
segment.replace(/-/g, '+').replace(/_/g, '/')
Then add enough = padding to reach a length divisible by 4 before decoding.
Decoding vs verification: the security boundary
This is the most important distinction on the page.
Decoding is parsing. Verification is trust.
When you decode a token, you learn what the issuer intended to say. When you verify it, you check whether the token was actually signed by the expected key, with an allowed algorithm, for the right audience, within the correct time window.
Common verification checks include:
- signature matches the secret or public key
algis allowed and not downgraded to something unexpectedissmatches the configured issueraudincludes your service or client IDexphas not passednbfis not in the future
If you skip those checks and trust decoded claims directly, forged or replayed tokens become your problem.
Practical debugging patterns
When a token issue lands on your desk, the fastest order of operations is usually:
- Decode the token locally and inspect the header and payload.
- Check
exp,nbf, andiatagainst current time and known clock skew. - Compare
issandaudwith the exact values your service expects. - Look for missing custom claims such as
scope,roles, or tenant identifiers. - Only after that dig into signature verification, JWKS lookup, or middleware configuration.
This sequence catches a surprising amount of auth breakage before you need to instrument anything deeper.
Privacy and local decoding
Tokens are not always secrets in the cryptographic sense, but they often contain sensitive data. Email addresses, internal IDs, permission sets, tenancy metadata, and auth provider details all show up in JWT payloads. A tool that lets you decode JWT token locally in the browser reduces the chance that those details end up in third-party logs, analytics, or request archives.
That does not make a token harmless. You should still treat pasted credentials carefully, especially if the token is still live. But for inspection, local browser decoding is a better default than shipping bearer tokens to a remote service just to see the payload.
Troubleshooting
Why does the decoded payload look valid but authentication still fails? — Because decoding only shows claims. Verification can still fail on signature, issuer, audience, exp, nbf, or middleware configuration.
Why won't a JWT segment decode in my standard Base64 tool? — JWT uses Base64URL. Replace - with +, _ with /, and restore missing = padding before decoding.
What is the difference between iat, nbf, and exp? — iat is when the token was issued, nbf is the earliest time it should be accepted, and exp is when it should stop being accepted.
Can I trust claims after decoding them? — No. Not until the token has been verified with the expected key and policy checks.
Is a JWT encrypted? — Usually no. Standard signed JWTs are just encoded plus signed. Anyone who has the token can often read the header and payload.
Why is my token missing the third segment? — It may not be a JWT, it may be truncated during copy/paste, or you're looking at a different token format entirely.