ToolsMatic
All tools

JWT Inspector

Waiting for a token...
Header
{}
Payload
{}
Claims
exp, nbf, iss, sub, aud will appear here after decoding.

Why this tool?

Quickly decode JWTs offline, inspect standard claims, and spot expiry or not-before issues without sending secrets to external services. Great for debugging auth flows, testing stage tokens, or confirming claim shapes.

It never validates signatures and never transmits the token; it simply decodes and interprets timestamps locally.

How to use it well

Paste any bearer token from your logs or network calls into the box and click Decode. The header shows algorithm and key hints, while the payload displays raw claims in formatted JSON. The claims panel highlights exp, nbf, iat, iss, sub, and aud so you can see whether the token is still valid, not yet active, or missing critical metadata. Use Copy buttons to hand payloads to teammates in chat without risking screenshots.

When debugging login or refresh flows, check that exp and nbf are aligned with the session length you expect. If a mobile client reports “token expired,” this page will confirm the exact skew in seconds. For federated setups, verify iss and aud match what your gateway expects before escalating to identity providers.

Who benefits most

Backend engineers validating new auth middleware, front-end engineers debugging 401 responses, SREs investigating failing health checks with expired machine tokens, and support teams triaging sign-in issues all get instant clarity. Security analysts can sanity-check staging tokens without uploading them to third-party decoders. Educators teaching JWT structure can use this page live in a classroom because nothing leaves the browser.

Product managers working on session policies can see how refresh cadence impacts exp and nbf, making it easier to balance security with usability. QA teams can paste tokens from automated test logs to confirm claims match the test user profile.

Implementation notes

The inspector uses base64url decoding and JSON parsing only; it does not attempt signature verification. That keeps the page lightweight and safe for offline or air-gapped environments. If a segment cannot be parsed, the status message tells you whether the problem is padding, invalid characters, or malformed JSON so you can fix the source quickly.

All parsing is client-side. No analytics, network calls, or storage beyond the page lifecycle are used. You can close the tab to clear everything. If you need signature verification, pair this tool with your server-side libraries, but rely on this view for fast structural checks and time-based validation clues.