JWT Decoder: Inspect and Debug JWT Tokens Online

If you've ever spent 20 minutes trying to figure out why your API returns 401 Unauthorized, you know how frustrating auth debugging can be. Half the time, the problem is staring right at you inside the JWT token — an expired timestamp, a missing claim, a wrong role. You just can't see it because it's Base64-encoded gibberish.

That's where a JWT decoder comes in. Paste your token, and you instantly get the decoded header, payload, and signature laid out in plain JSON. No more squinting at random strings.

What's Actually Inside a JWT Token?

A JWT (JSON Web Token) has three parts separated by dots. The first part is the header — it tells you the algorithm used for signing, usually HS256 or RS256. The second part is the payload — this is where all the good stuff lives. User IDs, roles, permissions, expiration times. The third part is the signature, which verifies nothing was tampered with.

When you decode a JWT token, you're basically Base64-decoding those first two parts. The signature part needs the secret key to verify, but you don't need that just to read what's inside.

Common JWT Issues You'll Catch Immediately

I use this tool almost daily when working on auth flows. Here's what usually turns out to be the problem:

• Expired tokens — the exp claim is in the past. This is the #1 issue.
• Wrong audience or issuer — the aud or iss claim doesn't match what your server expects.
• Missing claims — your backend expects a role field but the token doesn't have one.
• Algorithm mismatch — the header says RS256 but your server is configured for HS256.

How to Use the JWT Decoder

It's literally three steps. Grab your token from your browser's dev tools (check the Authorization header or cookies), paste it into the decoder, and read the output. The header and payload show up as formatted JSON, and you'll see timestamps converted to human-readable dates so you don't have to Google "unix timestamp converter" separately.

Everything runs in your browser. Your tokens never leave your machine, which matters when you're working with production credentials.

Quick JWT Debugging Checklist

Next time your auth is broken, run through this:

• Is the token actually present in the request?
• Is it expired? Check exp vs current time.
• Are iss and aud correct?
• Does the algorithm in the header match your server config?
• Are all required claims present?

Honestly, this saves me about 10 minutes every single time. Instead of adding console.log statements everywhere, I just decode the token and the answer is usually right there.

Try it free →