What is JWT structure?

Header.Payload.Signature. Header and Payload are Base64-encoded and can be decoded to read contents.

Is JWT debugging safe?

Yes, if using a tool that runs in the browser. Tokens never leave your device with local processing.

What are exp and sub?

exp is expiration (Unix timestamp), sub is subject (e.g. user ID). Both are claims in the payload.

How to Debug JWT | Decode and Inspect Tokens

JWT (JSON Web Token) is common in API authentication. When something goes wrong, the JWT Decode tool helps you see what’s inside. This article covers how to debug JWTs.

JWT Structure

A JWT has three parts separated by dots: header.payload.signature. Each part is Base64url-encoded. The payload contains claims like exp (expiration) and sub (subject).

Debugging Steps

Decode the payload — Use the JWT Decode tool to see the raw JSON. Check exp for expiration time.
Verify the signature — If you have the secret, verify the token wasn’t tampered with.
Check the algorithm — Ensure the server and client agree on the algorithm (e.g. HS256, RS256).

Common Issues

Token expired — exp is in the past. Get a new token.
Wrong secret — Signature verification fails. Confirm the secret/key matches.
Algorithm mismatch — Server expects a different algorithm than the token uses.

Summary

Decoding JWTs lets you inspect claims and troubleshoot auth issues. Use a local decoder tool to keep tokens private.

→ Try the JWT Decode Tool

Tools

JWT Structure

Debugging Steps

Common Issues

Summary