jwt.exceptions.InvalidIssuerError: Invalid issuer: what it means and how to fix it

TL;DR: Validate locally, fix the first real error, validate again (no upload).

Fix jwt.exceptions.InvalidIssuerError: Invalid issuer by decoding safely and locally (no upload).

What the error means

jwt.exceptions.InvalidIssuerError: Invalid issuer means a decoder rejected the input as invalid encoding. The fastest path is to identify what format you have, normalize it, then decode again.

Most common real-world causes

JWT problems are often: not 3 segments, wrong key/algorithm, or option mismatch (aud/iss/sub).
The input is not actually encoded in the expected format (Base64 vs Base64URL vs plain text).
You copied only part of the string (truncated token/payload).
Whitespace/newlines were introduced during copy/paste.
Wrong character set: URL-safe Base64 uses '-' and '_' instead of '+' and '/'.
You decoded using the wrong function (decodeURIComponent on non-URL-encoded data, atob on non-Base64).

Fast debugging steps

If you see a JWT library error, decode the token parts first to confirm structure and claims.
Confirm what you are decoding (URL encoding, Base64, Base64URL, JWT).
Trim whitespace and remove line breaks before decoding.
If it's a JWT, ensure it has 3 dot-separated parts (header.payload.signature).
If it's Base64URL, convert '-' -> '+' and '_' -> '/' and add padding if needed.

Code example (python)

# Python (PyJWT) troubleshooting
import jwt

try:
    if token.count('.') != 2:
        raise ValueError('JWT must have 3 segments')

    # Debug only: decode WITHOUT verifying signature (do not trust the result)
    header = jwt.get_unverified_header(token)
    payload = jwt.decode(token, options={"verify_signature": False})

    print('header', header)
    print('payload', payload)

    # Verification requires correct key + algorithms + optional claims
    # payload = jwt.decode(token, key, algorithms=['HS256'], audience='...', issuer='...')
except Exception as e:
    print(type(e).__name__, str(e))

Fix without uploading data

Encoded strings often contain secrets (tokens, IDs). Decode locally and share only redacted snippets.

URL Encode/Decode for percent-encoding.
Base64 Encode/Decode for Base64/Base64URL payloads.
JWT Decoder to inspect header/payload without uploads.

FAQ

Is Base64 the same as Base64URL? No. Base64URL uses '-' and '_' and often omits padding. Normalize before decoding.

Does decoding a JWT verify it? No. Decoding shows claims; verification requires the signing key.

Next steps

Related tools

Base64 Encode/Decode URL Encode/Decode Query string ↔ JSON JWT Decoder

Related guides

URL encoding explained Decode Base64 without uploading Encode Base64 without uploading Base64URL vs Base64 Base64URL → Base64 convert Base64 padding (=) explained atob/btoa explained Decode JWT without uploading

Related by intent

Invalid character in the given encoding: causes and fixes Fix invalid Unicode escapes in JSON (no upload) Base64URL invalid character: why decoding fails (and how to fix it) Unescaped '&' in XML URLs: fix entity reference errors fast XML parsererror: what it means and how to fix invalid XML

Privacy & Security

All processing happens locally in your browser. Files are never uploaded.