My Google token won't decode — is something wrong?

Make sure you pasted the ID token, not the access token. Google access tokens are opaque strings (e.g., starting with ya29.) and are not JWTs. Only the ID token has the three-part structure.

Why does email_verified matter?

Treating an unverified Google email as if Google had verified it is a classic account-takeover vector. If a user signed up with someone else's email and never confirmed it, email_verified will be false. Block sign-in or require additional verification in that case.

How do I verify the at_hash claim?

Take the access token, hash it with the algorithm declared in the ID token header (typically SHA-256), keep the left half of the bytes, and base64url-encode. The result must equal at_hash. Mismatch means the access token was swapped.

How long does a Google ID token last?

Exactly 3600 seconds (1 hour) from iat. Refresh by exchanging the refresh token for a new access + ID token pair. Google does not extend ID token lifetimes.

Can I trust the picture URL claim?

Yes for the URL itself — Google issues it. But the underlying image is hosted on Google's CDN and could change or be removed. Don't hot-link it in critical UI; cache it server-side.

Decode Google OAuth ID Tokens

Decode Google OAuth and Sign-In ID tokens online. Inspect aud, iss, email, sub, and at_hash claims with no data leaving your browser.

Encoded Token

HEADERAlgorithm: RS256

{
  "alg": "RS256",
  "kid": "f77ad8d8a78b34c8d2dd4e3a3a3b4c5d6e7f8a9b",
  "typ": "JWT"
}

PAYLOADIssued: Oct 25, 2025, 08:00:00 · Expired

{
  "iss": "https://accounts.google.com",
  "azp": "123456789-abc.apps.googleusercontent.com",
  "aud": "123456789-abc.apps.googleusercontent.com",
  "sub": "114567890123456789012",
  "email": "jane.doe@example.com",
  "email_verified": true,
  "at_hash": "jKLm8N3Pqr_StuvwXY12Aw",
  "name": "Jane Doe",
  "picture": "https://lh3.googleusercontent.com/a/AGNmyxYcDemo123",
  "given_name": "Jane",
  "family_name": "Doe",
  "iat": 1761379200,
  "exp": 1761382800
}

SIGNATUREPresent

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

This tool decodes JWT tokens for inspection only. No signature verification is performed. Never trust unverified tokens in production.

Google ID Tokens Have Stricter Validation Rules

Google's OAuth 2.0 / OpenID Connect implementation issues two distinct token types: an access token (an opaque string used to call Google APIs) and an ID token (a JWT containing identity claims). When developers say "decode the Google token", they almost always mean the ID token. Decoding the access token won't work — it isn't a JWT at all.

Google ID tokens carry standardized OIDC claims, plus a few Google-specific ones like at_hash (a partial hash of the access token, used to bind the two tokens together). The decoder here is pre-loaded with a representative Google ID token. Replace it with your own to inspect what Google actually returned to your app.

Validation Checklist for Google ID Tokens

Per Google's official docs, every claim below must validate before you trust the token server-side. The decoder shows them; your code must check them:

iss — Must be exactly https://accounts.google.com or accounts.google.com. Anything else is a forged token.
aud — Must equal your OAuth client ID. If you have multiple clients (web + iOS + Android), each is a separate audience.
azp — The "authorized party". For most apps this equals aud, but for apps with multiple clients, azp identifies the specific client.
exp — Google ID tokens expire 1 hour after issuance. Any longer lifetime is a forgery.
email_verified — Critical. true means Google has verified ownership of the email. Treating an unverified email as authoritative is the #1 OAuth security mistake.
at_hash — A SHA-256 half-hash of the access token, base64url-encoded. Validates that the access token wasn't swapped between services.
hd — Present only for Google Workspace accounts. Equals the user's hosted domain (e.g., example.com). Useful for restricting sign-in to corporate accounts.

Common Pitfalls

"My token has email but email_verified is false." This happens when a user signs up with a Google account they haven't confirmed via email. Treat the email as user-claimed, not verified. Don't auto-link accounts on this basis.

"aud doesn't match my client ID exactly." Google issues different ID tokens for different OAuth clients in the same project. Confirm you're comparing against the right client ID — web vs iOS vs Android each have unique IDs.

"The token is decoded but I can't verify the signature." Google rotates their JWKS keys frequently. Your verification library must fetch https://www.googleapis.com/oauth2/v3/certs on each verification (or cache with TTL).

Related Resources

Generic JWT Decoder
Auth0 JWT Decoder
Unix Timestamp Converter — convert iat and exp
What is a JWT?

Common Use Cases

Decode Auth0 JWT Access Tokens

Inspect Auth0 access tokens — view scopes, audience, expiration, and custom permissions instantly.

Decode Google OAuth ID Tokens

Decode Google Sign-In ID tokens — verify email, picture, audience, and at_hash claims in your browser.

Decode Supabase JWT Tokens

Inspect Supabase auth tokens — verify role, session_id, app_metadata, and aal claims for RLS debugging.

Decode AWS Cognito JWT Tokens

Inspect AWS Cognito access and ID tokens — view cognito:groups, token_use, scope, and client_id claims.

How to Debug JWT Authentication Issues

Decode JWTs, read claims, and fix the 5 most common auth errors — expired tokens, wrong audience, algorithm mismatch, and more.

What is JWT? JSON Web Tokens Explained

Learn what JSON Web Tokens are, how they work, their structure (header, payload, signature), and when to use them for authentication and authorization.

Decode Google OAuth ID Tokens

Google ID Tokens Have Stricter Validation Rules

Validation Checklist for Google ID Tokens

Common Pitfalls

Related Resources

Common Use Cases

Related Articles