2026-06-13 · 5 min read · Rahul Chitturi
- jwt
- auth
- debugging
A 401 Unauthorized during integration testing often sends teams spiraling through business logic. Half the time the token simply expired—or was issued for the wrong audience. Decoding the JWT payload (without trusting it for authorization) tells you immediately.
Check exp first
The exp claim is a Unix timestamp in seconds. Convert it to a human date and compare with your clock. If exp is in the past, refresh the token instead of debugging API handlers.
Other claims that bite
Staging tokens against production issuers fail with opaque errors unless you read the claims.
- aud — token valid only for specific API identifiers
- iss — wrong issuer means wrong environment
- nbf — token not valid yet (clock skew)
Remember
Decoding is for debugging only. Production services must verify signatures with the correct keys.