Decode JWT Payloads Without Confusing Decode and Verify
A practical guide to reading JWT headers and payloads, checking exp and iat fields, and understanding why decoding is not signature verification.
Introduction
JWTs are readable by design. The header and payload are Base64URL-encoded JSON. Decoding them helps debug claims such as subject, issuer, audience, issued-at time, and expiration time. But decoding a JWT is not the same as verifying it.
The JWT Decoder helps inspect the header and payload text. Processing is handled in the browser for this tool based on the current public implementation. Avoid entering sensitive tokens unless you have reviewed the implementation and your own security requirements.
Real-world scenario
You are debugging an API request that returns 401. The token payload includes:
{
"sub": "user_123",
"iss": "https://auth.example.com",
"aud": "api",
"iat": 1780030000,
"exp": 1780033600
}Decoding the token shows whether the audience is wrong or the expiration time has passed. Use Timestamp Converter to read iat and exp values.
Decode versus verify
Decode means turning the header and payload into readable JSON.
Verify means checking the signature with the expected algorithm, key, issuer, audience, and claims.
A decoded token can look normal and still be untrusted if the signature is invalid or the token came from the wrong issuer.
Common mistakes
Trusting a decoded token. Do not treat decoded claims as trustworthy until your backend verifies the signature and required claims.
Ignoring time fields. exp, nbf, and iat are often the fastest clues in authentication bugs.
Pasting production tokens casually. Tokens can grant access. Treat them as sensitive unless they are test tokens.
Limits
This tool is for inspection and debugging. It does not verify signatures, validate issuer rules, or replace server-side authentication checks.
Practical QA pass
When a token fails in one environment but works in another, compare issuer, audience, algorithm, and time claims before changing application code. Many authentication bugs are configuration mismatches rather than parser failures.
For support tickets, copy only the non-sensitive claim names and timestamps you need, not the full token. A short note such as "aud is api-v2 but the service expects api" is safer and easier for reviewers to act on than a pasted production credential.
Next steps
- JWT Decoder — inspect JWT header and payload JSON
- Base64 Encoder/Decoder — inspect encoded text formats
- Timestamp Converter — convert JWT time claims
- JSON Formatter — format decoded JSON for tickets or debugging notes
Final practical note
Use decoding to understand what a token says. Use verification to decide whether your system should trust it.