AscendLab
Tool guide

JWT Decoder Guide

Reference for decoding JWT headers and payloads, reading claims, converting exp and iat values, and understanding decode versus verify.

Quick answer

Use the JWT Decoder to read the header and payload of a JSON Web Token. Decoding helps with debugging, but it does not verify the signature or prove that the token should be trusted.

What this tool shows

  • Header JSON
  • Payload JSON
  • Common claims such as sub, iss, aud, iat, nbf, and exp
  • Decoded text that can be copied into debugging notes

Example input and output

Input: a token with three dot-separated parts, such as header.payload.signature.

Output: readable JSON for the header and payload. For example, the payload may show claims like sub, iss, aud, iat, and exp, while the signature remains something the browser tool can display but not verify.

Use the decoded output to understand what the token says, then verify the signature, issuer, audience, and expiry in your backend or identity provider before trusting it.

Data handling and processing behavior

Processing is handled in the browser for this tool based on the current public implementation. Avoid entering sensitive production tokens unless you have reviewed the implementation and your security requirements.

Step-by-step use

  1. Paste a JWT string
  2. Review the decoded header
  3. Review the decoded payload
  4. Convert time claims with Timestamp Converter
  5. Verify the token server-side before trusting any claim

Practical workflow

Use JWT Decoder as a debugging reader, not a trust decision. Decode the token to inspect header and payload shape, convert time claims, then move the finding into backend verification, identity-provider logs, or a ticket. If the decoded payload needs to be shared as a safe example, use the Developer Data Cleanup Workflow to replace sensitive values and format the JSON.

Practical handoff note

For JWT handoff, never paste live tokens into tickets, docs, or chat transcripts. Decoding shows claims, headers, and timestamps, but it does not verify signatures or permissions. If you need to share a JWT example, replace identifiers, emails, scopes, and secrets with synthetic values before review.

Common errors

Confusing decode with verify. Decoding makes content readable. Verification checks trust.

Ignoring exp and nbf. Many auth bugs are time-window issues.

Pasting real user tokens casually. Tokens can grant access and should be treated as sensitive.

Limits

This tool does not verify signatures, validate algorithms, check keys, or enforce issuer and audience rules. Use backend verification for any security decision.

Next steps

Related tools