DevToolStack

JWT guide

How to inspect JWT claims online without confusing decoding and verification

JWTs are easy to paste and hard to read. This guide explains how to inspect token claims, what to check first, and why decoding alone does not prove a token is trustworthy.

Open JWT Decoder Convert claim times

Why JWT decoding matters

Most token issues are visible in the claims before they are visible in application logs. A JWT may be expired, issued by the wrong provider, intended for the wrong audience, or missing a required subject or scope. Decoding the header and payload lets teams inspect those details immediately.

Decoding is not verification

JWT decoding only reveals the header and payload. It does not confirm that the signature is valid or that the token was issued by a trusted source. Signature verification must happen separately with the correct secret or public key. A good debugging workflow keeps those two steps distinct.

Claims worth checking first

Start with the algorithm in the header, then inspect iss, aud, sub, exp, iat, and nbf. Those values often reveal why a token is being rejected by an API gateway, middleware layer, or downstream service.

A practical JWT workflow

Decode the token, inspect the claims, then use Timestamp Converter for human-readable time review. If the token is embedded in a redirect or callback parameter, continue with URL Encoder & Decoder. If you need to inspect raw encoded fragments, use Base64 Encoder & Decoder.

JWT troubleshooting often overlaps with JSON Formatter for payload cleanup and Hash Generator when surrounding workflows include checksums or signing-related debugging tasks.