Node.js JWT Decoder & Verifier
Decode and inspect JSON Web Tokens for your Node.js applications. Paste a JWT to see its header, payload, and signature, then use the code examples to implement verification in Express, Fastify, or plain Node.js. Your tokens stay in your browser.
JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload, and expiration status.
How to decode and verify JWTs in Node.js
Install the jsonwebtoken package: npm install jsonwebtoken. To decode without verification (inspect claims): const decoded = jwt.decode(token, { complete: true }). To verify with a secret: const payload = jwt.verify(token, secretOrPublicKey). For RS256 tokens, pass the public key or certificate. Common pattern: try { const payload = jwt.verify(token, secret); } catch (err) { if (err.name === 'TokenExpiredError') { /* handle expiry */ } }. Use this tool to inspect token claims before writing verification logic.
// Node.js — decode and verify JWT tokens
import jwt from "jsonwebtoken";
// Decode WITHOUT verification (inspect only)
const decoded = jwt.decode(token, { complete: true });
console.log(decoded.header); // { alg: "RS256", typ: "JWT" }
console.log(decoded.payload); // { sub: "user-1", exp: ... }
// Verify with secret (recommended)
try {
const verified = jwt.verify(token, process.env.JWT_SECRET);
console.log("Valid:", verified.sub);
} catch (err) {
console.error("Invalid token:", err.message);
// "jwt expired", "invalid signature", etc.
}Express JWT middleware pattern
Standard Express authentication middleware: const authMiddleware = (req, res, next) => { const token = req.headers.authorization?.split(' ')[1]; if (!token) return res.status(401).json({ error: 'No token' }); try { req.user = jwt.verify(token, process.env.JWT_SECRET); next(); } catch { res.status(403).json({ error: 'Invalid token' }); } }. For production, consider express-jwt or passport-jwt which handle edge cases. Always validate the iss (issuer) and aud (audience) claims in addition to the signature.
Debugging JWT issues in Node.js
Common JWT errors: 'jwt expired' (check exp claim — paste your token here to see the exact timestamp), 'invalid signature' (wrong secret/key or token was modified), 'jwt malformed' (not a valid JWT format — should be three dot-separated Base64URL segments), 'jwt not active' (nbf claim is in the future). The jsonwebtoken library also supports clockTolerance for clock skew between servers. For RS256/ES256, ensure you're using the matching public key — paste the token here to check the alg header.
Frequently Asked Questions
How do I decode a JWT in Node.js without verifying it?
Use jwt.decode(token, { complete: true }) from the jsonwebtoken package. This returns { header, payload, signature } without checking the signature. Useful for inspecting claims, but never trust unverified tokens for authorization.
Should I use jsonwebtoken or jose in Node.js?
jsonwebtoken is the most popular (15M+ weekly downloads) and simpler for basic HS256/RS256 use cases. jose is newer, supports Web Crypto API, works in Edge runtimes (Vercel Edge, Cloudflare Workers), and handles JWE (encrypted tokens). Use jose for modern runtimes; jsonwebtoken for traditional Node.js servers.
How do I handle JWT expiration in Express?
Catch the TokenExpiredError in your middleware: if (err.name === 'TokenExpiredError') { /* refresh or re-authenticate */ }. Set reasonable exp times (15 minutes for access tokens, 7 days for refresh tokens). Implement token refresh with a separate /refresh endpoint that issues new access tokens.
Related Inspect Tools
JSON Visualizer
Visualize JSON as an interactive tree — collapsible nodes, search, path copy, depth controls, and data statistics
Git Diff Viewer
Paste unified diff output from git diff and view it with syntax highlighting, line numbers, and side-by-side or inline display
Compression Tester
Test and compare Brotli, Gzip, and Deflate compression ratios for text content — sizes, savings, and speed
TypeScript 6.0 Migration Checker
Analyze your tsconfig.json for TS 6.0 breaking changes, deprecated options, new defaults, and get a readiness grade with fixes