Utilido blog

JWT claims to check before you trust a token

Header alg, exp, aud, and iss fields worth reading during integration debug.

By Benchehida Abdelatif · Published May 4, 2026 · Updated May 24, 2026 · 7 min read

Decoding a JWT shows claims; it does not prove authenticity. Still, integration work stops faster when you read alg, exp, aud, and iss before chasing the wrong bug.

First pass

Confirm exp is in the future in UTC.
Check aud matches your service id.
Note alg; none or unexpected algorithms are a red flag.

Verification belongs on the server

Use JWKS or your secret in the API layer. The Utilido JWT decoder is for inspection during development, not for authorization decisions in production.