Local JWT decoder

BlueSky JWT and session token decoder

Decode an AT Protocol JWT header and payload locally in your browser, inspect exp, iat, issuer, subject, and audience claims, then troubleshoot session-expired errors without sending the token anywhere.

Decode token claims

This tool only decodes readable JWT claims. It does not verify the signature, refresh a session, contact a PDS, or prove that a token is valid.

Expired

JWT

Header

{
  "alg": "none",
  "typ": "JWT"
}

Payload

{
  "sub": "did:plc:example123",
  "aud": "https://bsky.social",
  "iss": "did:web:example.com",
  "iat": 1781970000,
  "exp": 1781973600,
  "scope": "atproto"
}

Issued at

2026-06-20T15:40:00.000Z

Not before

Not present

Expires

2026-06-20T16:40:00.000Z

Token safety

Do not paste active tokens into screenshots, chats, logs, or shared documents.
Use this only on a device you trust. Decoding is local, but the token is still sensitive while visible.
Refresh tokens are more sensitive than short-lived access tokens.
If a real token was exposed, revoke the app password or session and reconnect safely.

BlueSky session clues

createSession returns an accessJwt, refreshJwt, handle, and DID.
refreshSession requires the refreshJwt, not the accessJwt.
OAuth clients may also need DPoP proof JWTs and nonce handling.
An expired readable exp claim does not explain every auth failure, but it is a useful first check.

Official references

createSession lexicon refreshSession lexicon OAuth client guide

Connect safely

ONYX uses revocable BlueSky app-password connections for approved scheduling. Keep your main password private and reconnect if a credential is exposed.

Start Free