Orlixio

API and auth debugging

Inspect a JWT token safely

Decode header and payload, inspect claims, convert exp/iat/nbf timestamps, and keep signature verification separate.

Goal: Understand why a bearer token is accepted, rejected, expired, or scoped incorrectly.

Workflow steps

  1. Step 1

    Use a redacted or test token

    Avoid pasting live production tokens. If a token leaked, rotate or revoke it before sharing it anywhere.

  2. Step 2

    Decode header and payload

    Use JWT Decoder to inspect algorithm, key id, issuer, audience, subject, scopes, and custom claims.

  3. Step 3

    Convert time claims

    Read exp, iat, and nbf as dates. Many JWT issues are simple timestamp or clock-skew problems.

  4. Step 4

    Verify in trusted backend code

    Decoded payloads are readable but not trusted. Signature verification belongs in backend or identity-provider logic.

Real examples

Authorization header

Authorization: Bearer <redacted-jwt>

Timestamp claim

"exp": 1778529600

Common pitfalls

Trusting decoded claims without verifying the signature.

Logging Authorization headers.

Confusing Base64URL decoding with security.