encrypt

JWT Decoder: Expired Token and Signature Checks

Use a JWT decoder to inspect expired tokens, Base64URL payloads, claims, audience mismatches, and signature expectations without treating decode as verification.

A JWT decoder is useful when a token looks valid but an API still rejects it. The decoder can split the token into header, payload, and signature sections, make the readable claims easier to inspect, and help you spot expired timestamps or an unexpected audience. It cannot prove that the token is trustworthy by itself.

That distinction matters. JWT payloads are encoded, not encrypted. Anyone with the token can decode the header and payload. Verification is a separate step that checks the signature, key, algorithm, and issuer rules used by the service that accepts the token.

Decode first, verify separately

A JSON Web Token usually has three dot-separated parts:

  1. header;
  2. payload;
  3. signature.

The header and payload are Base64URL-encoded JSON. A JWT Decoder helps you inspect those JSON sections. If you paste the entire token into a normal Base64 Encoder, the dots and Base64URL alphabet can confuse the workflow. Decode the token as JWT, not as one long Base64 string.

Decoding answers questions like:

  • What algorithm does the header claim?
  • Which issuer created the token?
  • Which audience is expected?
  • When does the token expire?
  • Which scopes or roles appear in the payload?

Verification answers a different question: did the expected issuer sign this token with the expected key and algorithm?

Check the time-based claims first

Expired or not-yet-valid tokens are common causes of API failures. The registered claims you usually inspect are:

Claim Meaning Debug question
exp expiration time Has the token already expired?
nbf not before Is the token being used too early?
iat issued at Was the token minted at the expected time?

These values are commonly Unix timestamps. If your decoder shows a raw number, convert it and compare it with the server clock. Time zone confusion can make a valid timestamp look wrong in a local UI, so compare UTC time as well as local display time when debugging logs.

Inspect issuer, audience, and scope

A token can be unexpired and still fail authorization. The payload may have the wrong issuer, wrong audience, missing scope, or a role that does not match the route being called.

Useful checks include:

  • iss: does the issuer match the identity provider your API expects?
  • aud: is the token meant for this API, or for another service?
  • sub: is the subject the user, service account, or client you expected?
  • scope or scp: does it include the operation being attempted?
  • custom role claims: do they match the server-side authorization rule?

Do not edit a decoded payload and assume the token is fixed. Changing the payload invalidates the signature. Generate a new token from the issuer instead.

Understand Base64URL boundaries

JWT uses Base64URL encoding, which is designed for URL-safe text. It is related to Base64 but uses different characters for URL safety and often omits padding. That is why JWT segments may not decode cleanly in every generic Base64 tool.

If you need to inspect only one segment, copy exactly one section between dots. If the output is JSON, format it and compare the field names. If it is not JSON, check whether you copied the wrong segment or whether the token format is not actually JWT.

Signature expectations and common mistakes

The third segment is the signature. A decoder can show that the token has a signature-shaped segment, but it cannot confirm trust unless it also has the correct verification key and algorithm rules.

Common mistakes include:

  • treating decoded payload text as proof of authenticity;
  • accepting alg from the token header without server-side restrictions;
  • mixing HMAC and RSA expectations;
  • using the wrong public key or key ID;
  • copying a token with a missing or extra character;
  • adding whitespace around the bearer token.

For HMAC-based checks, use a controlled test value and compare expected output with an HMAC Generator. For asymmetric examples, understand the public/private key split before using an RSA-related tool such as RSA Encrypt for learning.

A safe browser-side debugging workflow

Use this sequence when a token fails in a request:

  1. Copy only the token value, not the Bearer prefix.
  2. Decode with a JWT-specific tool.
  3. Check exp, nbf, and iat.
  4. Check issuer, audience, subject, and scopes.
  5. Confirm whether the API expects HMAC, RSA, or another configured algorithm.
  6. Redact the token before sharing logs or screenshots.
  7. Generate a fresh token from the issuer if any claim is wrong.

Never paste production tokens into tickets, chats, or examples without redaction. A decoded payload can expose user IDs, email addresses, tenant names, roles, or internal identifiers even when the signature is not usable.

FAQ

Does decoding a JWT verify it?

No. Decoding makes the header and payload readable. Verification checks the signature and issuer rules.

Why does my JWT look like Base64 but fail in a Base64 tool?

JWT segments use Base64URL and are separated by dots. Use a JWT decoder or decode one segment at a time with Base64URL support.

Is the JWT payload encrypted?

Usually no. Standard JWT payloads are encoded and readable. Treat them as sensitive because they may contain identifiers or authorization data.

What should I check first when a token is rejected?

Start with expiration, audience, issuer, and scopes. Then check whether the server verifies the signature with the expected key and algorithm.

Back to tutorials

Continue reading

Decode JWT Payload with Base64 Safely

Learn how to decode a JWT payload with Base64, inspect claims in a browser, compare token segments, and avoid mistaking decoded content for verified signatures.

Base64 Encoder for API Debugging Boundaries

Use a Base64 encoder in API debugging to inspect Basic Auth, tokens, payload fragments, character encodings, decoded JSON layers, JWT boundaries, and safe redaction practices without treating reversible encoding as encryption.

Base64 Encoding for API Payloads

Decide when API payload fields should use Base64, when URL-safe Base64 matters, why reverse-decoding a test value prevents broken requests, and why Base64 must not be treated as protection for tokens, keys, or private user data.