How to inspect an Auth0 JWT token

Auth0 issues both access tokens and ID tokens as JWTs. When an integration breaks — a user lacks permissions, a role is missing, or an API returns 401 — the fastest fix is to inspect the token claims directly. This guide explains how to decode an Auth0 JWT and what each claim means, without writing a single line of code. You'll identify the 'scope', 'permissions', 'https://your-namespace/roles', and custom claims added by Auth0 Rules or Actions.

Step-by-step guide

1. Get the token: In Auth0's Dashboard, go to Auth0 → Applications → Test → copy the access_token from the response. Or grab it from your app's auth flow in browser DevTools.
2. Paste and decode: Paste the token at quickhelp.dev/jwt-decoder. Look in the header for 'alg' (RS256 for Auth0) and in the payload for 'aud', 'iss', 'sub', and 'scope'.
3. Check permissions: Auth0 RBAC adds a 'permissions' array and a namespaced roles claim. Confirm the user has the expected permissions before debugging your API logic.

Frequently asked questions

Why does Auth0 use RS256 instead of HS256?

RS256 (RSA + SHA-256) lets any party verify the token using Auth0's public JWKS endpoint without knowing the private signing key, which is more secure for public APIs.

How do I verify an Auth0 token's signature?

Paste your Auth0 PEM public key (from your tenant's JWKS endpoint) into the Verify section and select RS256.