A practical API-debugging guide that combines JSON validation, JWT inspection, Base64 handling, and Unix timestamp checks.
Split the failure into layers
Changing the request body, transport, authentication, and business logic at the same time makes an API failure harder to diagnose. Record the status code, response Content-Type, and raw body first, then change one layer per attempt. A 400 is not always malformed JSON, and a 401 is not always an expired token.
Do not paste production tokens or customer records into tickets. Build a synthetic sample that preserves the structure and still reproduces the failure.
- Separate expected and actual status codes.
- Keep the raw response before formatting it.
- Change one variable in each experiment.
Validate JSON against the contract
Check syntax before meaning. Trailing commas, single quotes, unescaped newlines, and strings in numeric fields are common. Valid JSON can still violate the API contract, so compare required fields, null behavior, date formats, and nested shapes with the schema.
A formatted view makes key and type differences visible. Reduce a large body to the smallest failing sample to learn whether one value or the overall shape causes the error.
Do not mistake decoding for verification
JWT headers and payloads use Base64URL and are not necessarily encrypted. Reading sub, aud, iss, exp, and nbf helps diagnosis, but decoding does not prove the signature. Verify it on a trusted server with the expected key, issuer, audience, and algorithm.
Never accept the token's alg value as the policy. Pin allowed algorithms server-side and test key rotation and clock-skew behavior explicitly.
- Never log a complete bearer token.
- Keep decoding and signature verification distinct.
- Review exp, nbf, aud, and iss together.
Close time and encoding traps
Unix timestamps may be seconds or milliseconds. A thirteen-digit value interpreted as seconds produces a wildly incorrect date; JWT exp values are normally seconds. Compare UTC and local views and measure clock drift between client and server.
Base64URL replaces characters and may omit padding. Once the cause is known, preserve the corrected sample as a regression test so the same bug becomes visible before deployment.
Visual suggestion: A four-stage debugging pipeline from request body to authentication and time validation. This article is general information, not legal or security advice.