JWTs are useful for debugging authentication flows, but many people mix up decoding a token with verifying it. Those are not the same thing. A decoded payload is informative, not authoritative.
Decode versus verify
Decoding a JWT simply means turning the header and payload into readable JSON. It does not confirm that the token was issued by a trusted party or that it has not been tampered with.
Verification requires checking the signature with the correct secret or public key. If you skip that distinction, you can draw the wrong conclusion from a token that merely looks valid.
Claims worth checking first
When debugging auth flows, the first claims to inspect are usually the subject, audience, issuer, expiration, issued-at, and not-before timestamps.
Those values often explain failed sessions, early logouts, wrong environment tokens, or frontend/backend mismatches.
- Check `exp` when sessions seem to expire too early.
- Check `aud` and `iss` when tokens work in one environment but fail in another.
- Check `nbf` and `iat` when clocks are out of sync.
A safer inspection habit
Use a local browser-side decoder when the goal is just inspection. That reduces the temptation to paste sensitive tokens into unknown third-party tools.
After decoding, if you need to confirm authenticity, move to the system that can properly verify the signature.