Skip to main content
Utilnivo

Developer

JWT Header Decoder

  • Browser-based
  • No signup

This JWT header decoder reveals the first segment of JSON Web Tokens—typically `alg`, `typ`, and key identifiers. Confirm signing algorithms and kid values when troubleshooting auth middleware and key rotation.

The header declares how the token was signed—it does not prove the signature is valid.

Reject tokens with unexpected algorithms like `none` or weak HMAC in production policies.

100% Client-Side

Your data never leaves your computer.

How to use this tool

Paste the full JWT and read the decoded header JSON. Match `alg` and `kid` against your verification configuration.

Worked example

Example: decode header `{ "alg": "RS256", "typ": "JWT", "kid": "abc123" }` to pick the correct public key from your JWKS endpoint.

When to use this

  • Tracing key rotation issues after JWKS updates.
  • Verifying algorithm negotiation in multi-tenant apps.
  • Security reviews of third-party issued tokens.

Common examples

  • Access token from OAuth login → inspect `exp`, `sub`, and `roles` claims.
  • Staging vs production token → compare `iss` and `aud` without verifying signature locally.
  • Expired session token → confirm `exp` timestamp against current time in the payload view.
  • Staging ID token → confirm `aud` matches your SPA client ID before release.
  • Expired refresh token → verify `exp` claim against local clock skew.

What people search for

  • jwt decoder
  • decode jwt token
  • jwt payload viewer
  • json web token decoder
  • inspect bearer token

Common mistakes

  • Trusting header `alg` without enforcing an allowlist server-side.
  • Confusing header with encrypted JWE protected headers.
  • Ignoring `kid` when multiple signing keys are active.
  • jwt rs256 vs hs256 header check
  • decode jwks kid from jwt header
  • jwt typ at+jwt vs jwt difference

How it works

Paste a JWT (optionally with a Bearer prefix). The tool splits header, payload, and signature, Base64URL-decodes the first two segments, and pretty-prints them as JSON. Common time claims (iat, nbf, exp) are shown as timestamps. Signatures are displayed but not verified.

Limitations

Decoding a JWT does not verify its signature or prove the token is valid, trusted, or unexpired. Do not paste production secrets into untrusted tools.

Privacy and file handling

Your data is processed in your browser and is not uploaded to our server.

These pages use the same jwt decoder with guides tailored to specific search intents.

Frequently asked questions

What is typ in the header?

Usually `JWT` for access tokens; some profiles use values like `at+jwt` for OAuth access tokens.

Can header alone authenticate a user?

No. You need a valid signature verified with the issuer secret or public key.

Header decode without payload?

Paste the full token—the tool decodes both segments together.

Page last reviewed: