Node.js JWT Decoder & Verifier
Decode and inspect JSON Web Tokens for your Node.js applications. Paste a JWT to see its header, payload, and signature, then use the code examples to implement verification in Express, Fastify, or plain Node.js. Your tokens stay in your browser.
JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload, and expiration status.
How to decode and verify JWTs in Node.js
Install the jsonwebtoken package: npm install jsonwebtoken. To decode without verification (inspect claims): const decoded = jwt.decode(token, { complete: true }). To verify with a secret: const payload = jwt.verify(token, secretOrPublicKey). For RS256 tokens, pass the public key or certificate. Common pattern: try { const payload = jwt.verify(token, secret); } catch (err) { if (err.name === 'TokenExpiredError') { /* handle expiry */ } }. Use this tool to inspect token claims before writing verification logic.
Express JWT middleware pattern
Standard Express authentication middleware: const authMiddleware = (req, res, next) => { const token = req.headers.authorization?.split(' ')[1]; if (!token) return res.status(401).json({ error: 'No token' }); try { req.user = jwt.verify(token, process.env.JWT_SECRET); next(); } catch { res.status(403).json({ error: 'Invalid token' }); } }. For production, consider express-jwt or passport-jwt which handle edge cases. Always validate the iss (issuer) and aud (audience) claims in addition to the signature.
Debugging JWT issues in Node.js
Common JWT errors: 'jwt expired' (check exp claim — paste your token here to see the exact timestamp), 'invalid signature' (wrong secret/key or token was modified), 'jwt malformed' (not a valid JWT format — should be three dot-separated Base64URL segments), 'jwt not active' (nbf claim is in the future). The jsonwebtoken library also supports clockTolerance for clock skew between servers. For RS256/ES256, ensure you're using the matching public key — paste the token here to check the alg header.
Frequently Asked Questions
How do I decode a JWT in Node.js without verifying it?
Use jwt.decode(token, { complete: true }) from the jsonwebtoken package. This returns { header, payload, signature } without checking the signature. Useful for inspecting claims, but never trust unverified tokens for authorization.
Should I use jsonwebtoken or jose in Node.js?
jsonwebtoken is the most popular (15M+ weekly downloads) and simpler for basic HS256/RS256 use cases. jose is newer, supports Web Crypto API, works in Edge runtimes (Vercel Edge, Cloudflare Workers), and handles JWE (encrypted tokens). Use jose for modern runtimes; jsonwebtoken for traditional Node.js servers.
How do I handle JWT expiration in Express?
Catch the TokenExpiredError in your middleware: if (err.name === 'TokenExpiredError') { /* refresh or re-authenticate */ }. Set reasonable exp times (15 minutes for access tokens, 7 days for refresh tokens). Implement token refresh with a separate /refresh endpoint that issues new access tokens.
Related Inspect Tools
Diff Checker
Compare two texts and see differences highlighted
Cron Expression Parser
Parse cron schedules into plain English with next run times
Word & Character Counter
Count words, characters, sentences, and estimate reading time
Chmod Calculator
Calculate Unix file permissions with an interactive permission matrix