JWT Decoder — Header, Payload & Expiry

JWTs concatenate header, payload, and signature with dots. Header declares type and signing algorithm. Payload holds claims — subject, roles, expiration. Signature prevents tampering when verified with the correct secret or public key.

Many APIs accept Bearer tokens in Authorization headers. OAuth access tokens and session substitutes often use JWT format even when opaque tokens would suffice.

Tokens are bearer credentials — anyone with the string impersonates the user until expiry. Sending tokens to third-party decoder websites has caused real incidents. Our page never transmits the token off-device.

Close tabs after debugging. Clear textarea on shared machines. Prefer redacted samples in screenshots.

exp is NumericDate seconds since Unix epoch. We multiply by one thousand for JavaScript Date comparison. expired true when current time exceeds exp. Missing exp shows valid without expiration — may indicate long-lived tokens worth policy review.

Allow thirty to sixty seconds skew between issuer and validator clocks in production verification code.

alg declares signing method — HS256 for symmetric, RS256 for RSA public-key. None algorithm attacks historically exploited validators that trusted header alg blindly. Always pin allowed algorithms server-side.

Display-only alg here helps spot unexpected none or HS256 on services expecting RS256.

sub identifies the subject user. iss and aud tie token to issuer and intended recipient. iat marks issued-at time. scope or custom claims encode permissions. nbf blocks early use before not-before time.

Decoded JSON helps compare staging vs production token shapes during integration debugging.

Signature verification requires issuer public key or shared secret not available in a browser tool. Never trust payload contents for authorization decisions based on decode alone — attackers forge unsigned bodies.

Encrypted JWE tokens use five segments — this decoder expects standard three-part JWS.

Sudden 401 responses often trace to expired exp or aud mismatch. Compare expiresAt with server logs. Header alg drift after key rotation implicates stale configuration.

Pair with CORS checker when browser clients fail after token refresh — separate transport from token issues.

Avoid logging full tokens in application logs — decode offline with redacted copies. Rotate signing keys on schedule. Prefer short access token lifetimes with refresh tokens stored HttpOnly.

Use cookie analyzer on login endpoints to confirm session cookies carry Secure and HttpOnly flags alongside JWT APIs.

Invalid JWT format means not exactly three parts — check for truncated paste or Bearer prefix left attached. Failed payload decode indicates corrupted Base64URL or non-JSON content.

Strip Bearer prefix and whitespace before paste.

Tokens may contain personal data under GDPR — treat decoded payload as PII in support tickets. Document who accessed decode tools during incident response.

Decode supports transparency during security reviews without exposing tokens to external SaaS decoders.