How to Decode a JWT in Postman (Scripts + Visual Inspect)
- Two Postman methods: visual inspect and scripted decode
- Pre-request script to decode a JWT and set environment variables
- Test script to extract claims from a JWT login response
- How to check token expiry in a Postman collection
Table of Contents
In Postman you can decode a JWT two ways: paste it into the browser tool above for instant inspection, or write a script inside Postman to extract claims automatically and use them across your collection. Here is both.
Quick Method: Paste Into the Browser Decoder
When you get a JWT response in Postman and want to quickly inspect the payload:
- In the Postman response body, copy the JWT value
- Paste it into the decoder at the top of this page
- Header and all claims appear instantly
This is fastest for one-off debugging sessions where you just want to read the claims without writing any script.
Postman Test Script: Extract Claims From a Login Response
After a login request returns a JWT, use a Postman test script to decode it and save claims as environment variables:
// Postman Tests tab — runs after the response arrives
const response = pm.response.json();
const token = response.access_token; // adjust to your response shape
// Decode the JWT payload (no library needed in Postman)
function decodeJwtPayload(token) {
const payload = token.split('.')[1];
const padded = payload + '=='.slice(0, (4 - payload.length % 4) % 4);
return JSON.parse(atob(padded.replace(/-/g, '+').replace(/_/g, '/')));
}
const claims = decodeJwtPayload(token);
// Save useful values to environment
pm.environment.set('access_token', token);
pm.environment.set('user_id', claims.sub);
pm.environment.set('token_exp', claims.exp);
console.log('Token expires:', new Date(claims.exp * 1000).toISOString());Now subsequent requests in the collection can use {{access_token}} and {{user_id}} as variables.
Pre-Request Script: Refresh Token If Expired
Add this to a collection or folder Pre-request Script to automatically refresh the token before it is used:
// Collection-level Pre-request Script
function decodeJwtPayload(token) {
const payload = token.split('.')[1];
const padded = payload + '=='.slice(0, (4 - payload.length % 4) % 4);
return JSON.parse(atob(padded.replace(/-/g, '+').replace(/_/g, '/')));
}
const token = pm.environment.get('access_token');
if (!token) return;
const claims = decodeJwtPayload(token);
const now = Math.floor(Date.now() / 1000);
const bufferSeconds = 60; // refresh 1 minute before expiry
if (claims.exp - now < bufferSeconds) {
console.log('Token expiring soon — refreshing...');
// Trigger your refresh request here
pm.sendRequest({
url: pm.environment.get('base_url') + '/auth/refresh',
method: 'POST',
header: { 'Content-Type': 'application/json' },
body: { mode: 'raw', raw: JSON.stringify({ refresh_token: pm.environment.get('refresh_token') }) }
}, (err, res) => {
if (!err) {
pm.environment.set('access_token', res.json().access_token);
}
});
}Viewing JWT Claims in Postman Visualizer
Postman's Visualize tab lets you render custom HTML from response data. You can build a simple JWT claim viewer:
// Tests tab
const token = pm.response.json().access_token;
function decodeJwtPayload(t) {
const p = t.split('.')[1];
return JSON.parse(atob((p + '==').slice(0, p.length + (4 - p.length % 4) % 4).replace(/-/g, '+').replace(/_/g, '/')));
}
const claims = decodeJwtPayload(token);
// Build table rows from claims
const rows = Object.entries(claims)
.map(function(entry) {
return '<tr><td>' + entry[0] + '</td><td>' + entry[1] + '</td></tr>';
}).join('');
const template = '<table><tr><th>Claim</th><th>Value</th></tr>' + rows + '</table>';
pm.visualizer.set(template);This renders all claims as a table in the Visualize tab for easy reading.
Need a Quick JWT Decode? Use the Browser Tool
Faster than writing a Postman script — paste your JWT above and read all claims instantly.
Open Free JWT DecoderFrequently Asked Questions
Does Postman have a built-in JWT decoder?
Not a dedicated panel, but Postman scripts have access to atob() and JSON.parse(), so you can decode JWTs in pre-request or test scripts without any library. The Visualize tab can then display the result.
Can I use CryptoJS to verify JWT signatures in Postman?
Postman includes CryptoJS in the script sandbox. You can compute HMAC-SHA256 signatures for HS256 verification. RS256 verification requires a third-party library, which Postman does not natively support in scripts.
Is there a Postman collection for JWT testing?
Yes — searching the Postman Public API Network for "JWT" returns several pre-built collections for common auth flows. You can also build your own by combining the scripts above with your auth endpoints.
