Decode JWT Tokens to Debug Authentication

Advanced5 minutes6 steps

Learn how to decode and inspect JWT tokens to debug authentication issues in your application.

What You Need

A JWT token to decode
Basic understanding of authentication concepts

Get the JWT Token

Copy the JWT token from your application. Common sources: browser DevTools (Application > Cookies or Local Storage), API response headers (Authorization: Bearer ...), or server logs.

In DevTools, check the Application tab > Cookies or Local Storage for tokens. Also check the Network tab > request Headers for Authorization headers.

Open the JWT Decoder

Navigate to OnlineTools4Free JWT Decoder.

Paste the Token

Paste the full JWT token (including all three dot-separated parts) into the input field. The tool instantly decodes the header, payload, and signature.

Inspect the Header

Review the header section which contains the algorithm (alg) and token type (typ). Common algorithms are HS256 (HMAC) and RS256 (RSA). Mismatched algorithms are a common auth bug.

Analyze the Payload

Check the payload claims: "exp" (expiration — is the token expired?), "iat" (issued at), "sub" (subject/user ID), and any custom claims. Expired tokens are the #1 cause of auth failures.

The "exp" claim is a Unix timestamp. The decoder converts it to a human-readable date so you can see exactly when the token expires.

Debug Common Issues

Common JWT problems: expired token (exp in the past), wrong audience (aud does not match your app), missing required claims, or token issued by wrong issuer (iss). Fix the identified issue in your auth flow.

Ready to Try It?

Open the tool and follow the steps above. It is free, private, and works in your browser.

Try It Now

Frequently Asked Questions

Is it safe to paste JWT tokens in a web tool?

Yes, on OnlineTools4Free. All decoding happens in your browser — the token never leaves your device. Never paste tokens into server-side tools.

Can this tool verify JWT signatures?

The decoder shows the signature but cannot verify it without your secret key. Signature verification should be done server-side.

What does "exp" mean in a JWT?

"exp" is the expiration time as a Unix timestamp. Tokens with an expired "exp" claim should be rejected by your server.

Why is my JWT being rejected?

Common causes: expired token, wrong audience (aud), clock skew between servers, missing required claims, or algorithm mismatch.

What is the difference between HS256 and RS256?

HS256 uses a shared secret (symmetric). RS256 uses public/private key pairs (asymmetric). RS256 is more secure for distributed systems.

Related Tutorials

Intermediate5 minutes

Format and Debug API JSON Responses