Guide: inspect JWT payload and claims
JWTs bundle header, payload, and signature in Base64URL. During OAuth, API gateway, or session debugging you need `exp`, `iss`, `aud`, and roles without guessing.
The decoder splits all three parts and pretty-prints payload JSON locally. Signature verification is out of scope — this is for reading, not trusting tokens. Avoid pasting production refresh tokens on shared machines.
Use when the API returns 401 and you suspect expiry, clock skew, or missing claims. Cross-check `exp` with the timestamp converter and confirm header `alg` (`RS256`, `HS256`) matches the issuer.
Step by step
- Paste the full token — Include the `eyJ…` string with three dot-separated segments. Malformed tokens show a missing part.
- Read header and payload — Check `alg`, `typ` in the header and claims like `sub`, `email`, `scope` in the payload.
- Check expiry and clock — Convert `exp` and `nbf` to local time. Expired tokens explain sudden logouts.
- Do not trust without verification — Readable payload ≠ authentic — verify on the server with the issuer public key or secret.