How to Decode a Firebase JWT: UID, Claims, and Token Structure

Firebase Authentication issues ID tokens as JWTs after every sign-in. Decoding one reveals the user UID, email, sign-in provider, and any custom claims set via the Admin SDK. Paste your Firebase token into the decoder above to inspect it directly.

What Is Inside a Firebase ID Token

A decoded Firebase ID token payload looks like this:

{
  "iss": "https://securetoken.google.com/YOUR-PROJECT-ID",
  "aud": "YOUR-PROJECT-ID",
  "auth_time": 1700000000,
  "user_id": "abc123xyz",
  "sub": "abc123xyz",
  "iat": 1700000000,
  "exp": 1700003600,
  "email": "[email protected]",
  "email_verified": true,
  "firebase": {
    "identities": {
      "email": ["[email protected]"]
    },
    "sign_in_provider": "password"
  }
}

Key things to note: sub and user_id both contain the Firebase UID — they are identical. The iss always starts with https://securetoken.google.com/ followed by your project ID. The firebase.sign_in_provider tells you how the user authenticated: password, google.com, apple.com, anonymous, etc.

Firebase Custom Claims in the Decoded Token

Custom claims set via the Firebase Admin SDK appear as top-level fields in the JWT payload (not nested). For example, if you set:

// Admin SDK (Node.js)
await admin.auth().setCustomUserClaims(uid, { admin: true, tier: 'pro' });

The decoded token contains:

{
  "sub": "abc123xyz",
  "email": "[email protected]",
  "admin": true,
  "tier": "pro",
  ...
}

Important: custom claims are baked into the token at sign-in time. If you update custom claims server-side, the user must get a new token (sign out and sign back in, or force a token refresh) to see the updated claims.

Firebase custom claims have a 1000-byte size limit across all claims combined. Keep them minimal — IDs and flags, not large objects.

Sell Custom Apparel — We Handle Printing & Free Shipping

Firebase Token Expiry: 1 Hour Lifetime

Firebase ID tokens expire after exactly 1 hour. The Firebase client SDK handles token refresh automatically — when you call getIdToken(), the SDK returns a cached token if it is still valid or fetches a new one silently.

To force a fresh token (needed after updating custom claims server-side):

// JavaScript Firebase client SDK
const token = await firebase.auth().currentUser.getIdToken(true);
// true = force refresh even if current token is still valid

When you decode a Firebase token, check exp - iat — it should be exactly 3600 seconds (1 hour).

Firebase Custom Tokens vs ID Tokens

Firebase has two token types that are easy to confuse:

• ID token: Issued by Firebase after sign-in. Short-lived (1 hour). This is what you send to your backend to verify the user. Has the structure above.
• Custom token: Created by your server using the Admin SDK to sign in a user programmatically. Short-lived (1 hour) and can only be exchanged for an ID token via signInWithCustomToken() on the client. The custom token itself is not the same format as an ID token.

When you paste a token in the decoder: if iss starts with https://securetoken.google.com/, it is an ID token. If iss is a service account email, it is a custom token.

Frequently Asked Questions

Why does my Firebase token fail to decode?

Firebase tokens are standard JWTs and decode like any other. If decoding fails, check that you have the full token (it starts with eyJ) and have not accidentally copied just part of it or included extra whitespace.

How do I get the Firebase UID from a decoded token?

Both the sub and user_id claims contain the UID — they are the same value. Use either one. In your backend verification code, use the Admin SDK's verifyIdToken() which returns a DecodedIdToken object with a uid property.

Can I decode a Firebase token without the Admin SDK?

Yes — decoding is just base64url decoding and requires no key or SDK. Verification (confirming the signature is valid) requires the Firebase public keys, which is what verifyIdToken() handles.