How to Decode a JWT Token from Azure AD or Entra ID

Problem

Azure AD and Entra ID tokens often fail because aud, scp, roles, tid, iss, or exp do not match what the API expects. The token is readable without the signing key, but pasting production tokens into random web tools is risky.

Solution

Use SmartDevBox JWT Decoder locally in the browser. Decode the header and payload, then use the Unix Timestamp Converter for exp and iat if you want a readable date.

Workflow

1. 1Paste the token into SmartDevBox
   Use only the compact JWT string, not the full Authorization header. If you have a header, remove the Bearer prefix first.
2. 2Inspect the header
   Check alg and kid. The kid identifies the signing key used by the identity provider, which matters when your API validates the token against a JWKS endpoint.
3. 3Check the payload claims
   Look at iss, aud, tid, exp, scp, roles, preferred_username, and oid. Most integration bugs are an audience mismatch, missing scope, or expired token.
4. 4Translate timestamps
   Copy exp or iat into the Unix Timestamp Converter to see the exact UTC and local time represented by the claim.

Examples

{
  "iss": "https://login.microsoftonline.com/<tenant-id>/v2.0",
  "aud": "api://your-api-client-id",
  "scp": "Orders.Read",
  "tid": "<tenant-id>",
  "exp": 1735689600
}

Checklist

• Confirm aud matches the API, not just the frontend app.
• Confirm scp or roles contains the permission your endpoint requires.
• Check exp before debugging code.
• Do not paste long-lived production tokens into server-side tools.

Tools Used

• JWT DecoderDecode header and payload claims locally.
• Unix Timestamp ConverterTurn exp and iat into readable dates.
• Privacy & SecurityUnderstand the client-side processing model.

Frequently Asked Questions

Related Recipes