Skip to main content
Utilnivo

Developer

Utilnivo

JWT Header Decoder

Decode JWT header JSON to inspect algorithm and token type fields.

No registration
  • On your device

Browse more in Developer or all tools.

Private on your device

Your information stays on your device and is not uploaded.

What is a JWT decoder?

A JWT decoder reads the header and payload of a JSON Web Token without verifying signatures. Useful for debugging auth tokens locally—never paste production secrets into untrusted sites.

This JWT header decoder reveals the first segment of JSON Web Tokens—typically `alg`, `typ`, and key identifiers. Confirm signing algorithms and kid values when troubleshooting auth middleware and key rotation.

The header declares how the token was signed—it does not prove the signature is valid.

Reject tokens with unexpected algorithms like `none` or weak HMAC in production policies.

How to use this tool

Paste the full JWT and read the decoded header JSON. Match `alg` and `kid` against your verification configuration.

Worked example

Example: decode header `{ "alg": "RS256", "typ": "JWT", "kid": "abc123" }` to pick the correct public key from your JWKS endpoint.

When to use this

  • Tracing key rotation issues after JWKS updates.
  • Verifying algorithm negotiation in multi-tenant apps.
  • Security reviews of third-party issued tokens.

Common examples

  • Access token from OAuth login → inspect `exp`, `sub`, and `roles` claims.
  • Staging vs production token → compare `iss` and `aud` without verifying signature locally.
  • Expired session token → confirm `exp` timestamp against current time in the payload view.
  • Staging ID token → confirm `aud` matches your SPA client ID before release.
  • Expired refresh token → verify `exp` claim against local clock skew.

What people search for

Common mistakes

  • Trusting token settings without checking them in your own app.
  • Confusing header with encrypted JWE protected headers.
  • Ignoring `kid` when multiple signing keys are active.
  • jwt rs256 vs hs256 header check
  • decode jwks kid from jwt header
  • jwt typ at+jwt vs jwt difference

How it works

Paste a JWT (optionally with a Bearer prefix). The tool splits header, payload, and signature, Base64URL-decodes the first two segments, and pretty-prints them as JSON. Common time claims (iat, nbf, exp) are shown as timestamps. Signatures are displayed but not verified.

Limitations

Decoding a JWT does not verify its signature or prove the token is valid, trusted, or unexpired. Do not paste production secrets into untrusted tools.

Privacy and file handling

Your data stays on your device and is not uploaded.

These pages use the same jwt decoder with guides tailored to specific search intents.

FAQ

Frequently asked questions

What is typ in the header?

Usually `JWT` for access tokens; some profiles use values like `at+jwt` for OAuth access tokens.

Can header alone authenticate a user?

No. You need a valid signature verified with the issuer secret or public key.

Header decode without payload?

Paste the full token—the tool decodes both segments together.

Page last reviewed: