🎫

Decode JWT

Decode a JWT token without signature verification to inspect its contents.

POST 1 credit /v1/auth/jwt-decode

curl -X POST "https://auth.toolkitapi.io/v1/auth/jwt-decode" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImV4cCI6MTcxMjcwMjQwMH0.abc123"
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/jwt-decode",
    json={
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImV4cCI6MTcxMjcwMjQwMH0.abc123"
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/jwt-decode", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImV4cCI6MTcxMjcwMjQwMH0.abc123"
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "header": {"alg": "HS256", "typ": "JWT"},
  "payload": {"sub": "user_123", "role": "admin", "exp": 1712702400},
  "signature": "abc123signature=="
}

Try It Live

Description

Decode a JWT token without signature verification to inspect its contents.

How to Use

1

1. Provide the `token` string you want to inspect.

2

2. Send a POST request. No secret key is needed since verification is skipped.

3

3. Examine the `header` for algorithm info, the `payload` for claims, and the `signature` for the raw signature bytes.

About This Tool

The Decode JWT endpoint extracts the header, payload, and signature from a JWT token without performing any signature verification. This makes it a pure inspection tool — useful for debugging, logging, or examining tokens when you don't have the signing key.

Since no verification is performed, the decoded payload should never be trusted for authentication or authorization decisions. Use the JWT Verify endpoint for that purpose.

The signature is returned as a Base64-encoded string, allowing you to compare it against expected values or examine the raw token structure.

Why Use This Tool

Debugging authentication issues — Inspect token contents without needing the signing key
Logging and audit — Extract claims from tokens for logging purposes
Token inspection tools — Build UI tools that display JWT contents
Algorithm detection — Check which algorithm a token was signed with before verification
Claim extraction — Read payload claims like `exp`, `iss`, or `sub` for routing or display

Frequently Asked Questions

Is it safe to use the decoded payload for authorization?

No. Since the signature is not verified, the payload could be forged. Always use the JWT Verify endpoint to validate tokens before trusting their claims.

Can I decode tokens from any provider?

Yes. This endpoint decodes any valid JWT structure regardless of the issuer, algorithm, or signing key. It works with tokens from Auth0, Firebase, AWS Cognito, or any JWT-compliant system.

What if the token is malformed?

The endpoint returns a 400 error with a descriptive message. Common issues include missing segments (JWTs must have exactly three dot-separated parts) or invalid Base64 encoding.

Start using Decode JWT now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs