How to Decode a JWT and Check Token Claims
Inspect a JWT header, payload, expiry time, and common claims without uploading the token.
Start with decode, not trust
A JWT decoder shows what is inside the token. It does not prove the token is valid, signed by the right system, or safe to use in production.
- Header usually shows alg, typ, and sometimes kid.
- Payload contains claims like sub, iss, aud, exp, nbf, and iat.
- Signature presence only means a signature segment exists.
Check time-based claims
The most common reason a copied token fails is time. Check exp for expiry, nbf for not-before time, and iat for when the token was issued. JWT dates use Unix seconds, not milliseconds.
Use generated tokens for local testing only
Unsigned tokens and HMAC-signed test tokens are useful for fixtures, mocks, and local API checks. Do not use a browser-generated token as proof that your real authentication flow is secure.
Open the related tool and keep the workflow local.