Decode Auth0 JWT Access Tokens

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "NEM1NjI3RTBCMDQ4QkE1RTQ4OUM4QzAwQzhFMjU3RDc1QkUwMEUwNQ"
}

{
  "iss": "https://demo-tenant.us.auth0.com/",
  "sub": "auth0|6543a1b2c3d4e5f678901234",
  "aud": [
    "https://api.example.com",
    "https://demo-tenant.us.auth0.com/userinfo"
  ],
  "iat": 1761379200,
  "exp": 1761465600,
  "scope": "openid profile email read:orders write:orders",
  "azp": "a3B7Lc1DKlMNoPqRsTuVwXyZ",
  "permissions": [
    "read:orders",
    "write:orders"
  ]
}

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

Why Auth0 Tokens Need Special Inspection

Auth0 issues both ID tokens and access tokens, and the two carry different claims even though they share the same JWT structure. Auth0 access tokens include opaque claims like azp (authorized party), scope, and a permissions array tied to your tenant's RBAC configuration. When debugging "permission denied" errors, the fastest path is to decode the token and confirm exactly which scopes and permissions Auth0 actually issued — not what your app expected to receive.

This page pre-loads a representative Auth0 access token. Replace it with your own token (everything stays in your browser) to inspect production tokens during incident response.

Auth0-Specific Claims You Should Check First

Beyond the standard JWT claims, Auth0 adds several namespaced and platform-specific fields. Skim these in order when triaging an auth issue:

• iss — Always ends in .auth0.com/ (or your custom domain). If the issuer doesn't match the tenant your API expects, you're looking at a token from the wrong tenant.
• aud — An array containing your API identifier and (for tokens with the openid scope) the /userinfo endpoint. A missing audience is the #1 cause of 403 Forbidden errors.
• scope — Space-separated list of OAuth scopes granted at login. Auth0 will silently drop scopes the user wasn't permitted to consent to.
• permissions — Array of fine-grained permissions from Auth0's RBAC. Only present if you've enabled "Add Permissions in the Access Token" in API settings.
• azp — The Auth0 client ID that obtained the token. Useful when multiple SPAs share the same API.
• sub — Format is always auth0|userid, google-oauth2|userid, etc. The prefix tells you which connection authenticated the user.

Common Debugging Scenarios

"My API returns 401 even though the user just logged in." Check exp against the current Unix timestamp. Auth0 access tokens default to a 24-hour lifetime but can be configured down to 60 seconds. Also confirm iss exactly matches the issuer your API's middleware is configured to accept — including the trailing slash.

"Permissions are missing from the token." Auth0 only includes permissions if both your API has RBAC enabled and "Add Permissions in the Access Token" is toggled on. The setting is per-API, not per-tenant.

"scope only shows openid profile email but I requested more." Auth0 silently drops scopes the consent screen wasn't allowed to show. Check Application → APIs → Authorized scopes for the tenant.

Related Tools & Reading

• Generic JWT Decoder — for non-Auth0 tokens
• Google OAuth ID Token Decoder
• Unix Timestamp Converter — convert iat and exp to readable dates
• What is a JWT? — structural primer
• JWT Debugging Guide — step-by-step troubleshooting