1 min readLocal-first workflow

How to Decode a JWT and Check Token Claims

Inspect a JWT header, payload, expiry time, and common claims without uploading the token.

Start with decode, not trust

A JWT decoder shows what is inside the token. It does not prove the token is valid, signed by the right system, or safe to use in production.

  • Header usually shows alg, typ, and sometimes kid.
  • Payload contains claims like sub, iss, aud, exp, nbf, and iat.
  • Signature presence only means a signature segment exists.

Check time-based claims

The most common reason a copied token fails is time. Check exp for expiry, nbf for not-before time, and iat for when the token was issued. JWT dates use Unix seconds, not milliseconds.

Use generated tokens for local testing only

Unsigned tokens and HMAC-signed test tokens are useful for fixtures, mocks, and local API checks. Do not use a browser-generated token as proof that your real authentication flow is secure.

Open the related tool and keep the workflow local.