JWT Decoder for API Testing — Debug Auth Headers
Quick Answer: When debugging API 401/403 errors, decode the JWT from the Authorization: Bearer header to check: (1) is it expired? (2) does it have the required scopes? (3) is the audience (aud) correct? (4) does it contain the expected claims?
FAQ
Why am I getting 401 Unauthorized with a valid JWT?
Common causes: token expired (check exp), wrong audience (check aud matches API), missing required scope, or the API expects a different signing algorithm.
How do I extract the JWT from an API request?
In browser DevTools Network tab, find the request, look for the Authorization header value. Remove the "Bearer " prefix to get the raw JWT.