Short answer

A practical API-debugging guide that combines JSON validation, JWT inspection, Base64 handling, and Unix timestamp checks.

01

Split the failure into layers

Changing the request body, transport, authentication, and business logic at the same time makes an API failure harder to diagnose. Record the status code, response Content-Type, and raw body first, then change one layer per attempt. A 400 is not always malformed JSON, and a 401 is not always an expired token.

Do not paste production tokens or customer records into tickets. Build a synthetic sample that preserves the structure and still reproduces the failure.

  • Separate expected and actual status codes.
  • Keep the raw response before formatting it.
  • Change one variable in each experiment.
02

Validate JSON against the contract

Check syntax before meaning. Trailing commas, single quotes, unescaped newlines, and strings in numeric fields are common. Valid JSON can still violate the API contract, so compare required fields, null behavior, date formats, and nested shapes with the schema.

A formatted view makes key and type differences visible. Reduce a large body to the smallest failing sample to learn whether one value or the overall shape causes the error.

03

Do not mistake decoding for verification

JWT headers and payloads use Base64URL and are not necessarily encrypted. Reading sub, aud, iss, exp, and nbf helps diagnosis, but decoding does not prove the signature. Verify it on a trusted server with the expected key, issuer, audience, and algorithm.

Never accept the token's alg value as the policy. Pin allowed algorithms server-side and test key rotation and clock-skew behavior explicitly.

  • Never log a complete bearer token.
  • Keep decoding and signature verification distinct.
  • Review exp, nbf, aud, and iss together.
04

Close time and encoding traps

Unix timestamps may be seconds or milliseconds. A thirteen-digit value interpreted as seconds produces a wildly incorrect date; JWT exp values are normally seconds. Compare UTC and local views and measure clock drift between client and server.

Base64URL replaces characters and may omit padding. Once the cause is known, preserve the corrected sample as a regression test so the same bug becomes visible before deployment.

RELATED TOOLS

Put this guide into practice

09JSON Formatter & ValidatorValidate, pretty-print, or minify JSON data.24JWT DecoderRead JWT header and payload as local JSON without verifying the signature.13Base64 Encoder & DecoderEncode Unicode text to Base64 or decode it back.23Unix Timestamp ConverterConvert between epoch seconds, milliseconds, and human-readable dates.
Editorial note

Visual suggestion: A four-stage debugging pipeline from request body to authentication and time validation. This article is general information, not legal or security advice.

Turn guidance into action

Start working on-device with 29 tools

Explore tools