How do I decode a JWT safely?

Short answer: Decode JWTs in a local browser tool, review claims such as exp, iss, aud, and sub, and verify signatures separately when authenticity matters.

Steps

1. Paste the token into a trusted JWT decoder.
2. Review the header algorithm and token type.
3. Inspect payload claims such as expiration, issuer, audience, and subject.
4. Do not treat decoded claims as verified unless the signature is validated.

Related tools