WebUtils
ENKO

Developer Workflow

Decode a JWT safely before debugging authentication

Learn how to inspect JWT headers and payload claims without treating decoded tokens as verified or sharing secrets by accident.

Open Jwt Decoder

Problem

JWTs are compact and easy to paste into logs, but the decoded payload can contain user identifiers, scopes, tenant IDs, and expiry times. Decoding helps debugging, but decoding is not the same as verifying a signature.

When to use this

  • An API returns 401 or 403 and you need to check token expiry or audience.
  • A role or scope appears missing after login.
  • A support case includes a redacted token and you need to inspect non-secret claims.

Steps

  1. Step 1

    Redact sensitive values first

    Remove or replace token values before sharing them in tickets, screenshots, chat, or documentation.

  2. Step 2

    Decode header and payload

    Open the token locally and inspect algorithm, key identifier, issuer, audience, subject, expiry, and scope claims.

  3. Step 3

    Check time-based claims

    Compare exp, nbf, and iat values against the machine or server clock involved in the failed request.

  4. Step 4

    Verify elsewhere before trusting it

    Use your application, identity provider, or backend library to verify the signature before treating the token as authentic.

Example

JWT payload with expired access

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzQyIiwic2NvcGUiOiJyZWFkOmJpbGxpbmciLCJhdWQiOiJhcGkiLCJleHAiOjE3MDAwMDAwMDB9.signature

Output

{
  "sub": "user_42",
  "scope": "read:billing",
  "aud": "api",
  "exp": 1700000000
}

Common mistakes

Assuming decoded means verified

Anyone can Base64URL-decode a JWT payload. Verification requires checking the signature and claims with trusted keys.

Sharing real production tokens

Access tokens can grant live permissions. Redact or use a test token before posting decoded claims anywhere.

FAQ

Is it safe to decode a JWT?

Decoding is safe as a local inspection step, but you should not share real tokens or treat decoded claims as trusted without signature verification.

Why does my token decode but still fail authentication?

The token may be expired, signed by the wrong issuer, intended for another audience, missing required scopes, or failing signature verification.

Can a JWT decoder validate permissions?

A decoder can show permission-related claims, but your backend or identity provider must decide whether those claims are valid for a request.