What a decoder can show
A JWT decoder can split the token into header, payload, and signature sections, then show readable JSON for the first two sections. This helps when checking issuer, audience, subject, expiration, scopes, or custom claims during local debugging.
What it cannot prove
Decoding a JWT does not verify the signature. A decoded payload can be modified by anyone unless the server validates the token with the expected algorithm, key, issuer, audience, and expiration rules. Treat decoded output as an inspection view, not as authentication evidence.
- Use decoding to read claims and understand structure.
- Use server-side verification to decide whether a token is trustworthy.
- Avoid pasting production tokens into tools you do not control.
Debugging checklist
When authentication fails, compare the expected issuer and audience, check the expiration time, confirm the algorithm matches the service configuration, and verify that the application is reading the correct token from the request.
如何使用本指南
- 1
Paste a safe token
Use a development or sanitized JWT and avoid sharing production credentials or private claims.
- 2
Decode header and payload
Inspect the algorithm, key identifier, issuer, audience, subject, expiration, and authorization-related claims.
- 3
Verify trust elsewhere
Use server-side verification to confirm signature, issuer, audience, and expiration before making authentication decisions.
常见问题
Does a JWT decoder verify the token signature?
No. A decoder shows readable header and payload data. Signature verification must happen in trusted server-side code with the expected algorithm and keys.
Is it safe to paste a JWT into a decoder?
Only paste tokens you are allowed to inspect. Avoid production tokens and remove sensitive claim values when documenting examples.
Which JWT claims are most useful for debugging?
Issuer, audience, subject, expiration, issued-at time, scopes, and custom authorization claims are common starting points.