Tools mentioned in this article
Open the browser-based tool while you read and try the workflow immediately.
When an API request fails with 401 Unauthorized, the problem is not always in the application code.
The token may be expired, issued for a different audience, or missing a required scope.
Decoding the JWT before review makes authentication issues much easier to separate from implementation bugs.
When this helps
Suppose a request works locally but fails in staging.
Before changing code, paste the JWT into the JWT tool and inspect the header and payload.
{
"sub": "user_123",
"aud": "devtoolkits-api",
"scope": "articles:read articles:write",
"iat": 1779001200,
"exp": 1779004800
}Start with exp.
If the value is a Unix timestamp, convert it to your local time zone so you can quickly tell whether the token is still valid.
Then check aud and scope.
Even when the signature is valid, an API can reject a token if the audience or permissions do not match what the endpoint expects.
Review checklist
expis later than the current timeiatis not unexpectedly in the futureaudmatches the target APIscopeorrolecontains the required permissions- Staging and production tokens are not mixed up
Doing this once before review keeps the discussion focused.
It becomes clear whether a failing request is caused by code, configuration, or a test token.