100+ developer utilities

Fast & free

Tool workspace

JWT Header Decoder

Decode JWT headers instantly. Inspect algorithm and token metadata from JSON Web Tokens.

jwt input

1 line0 chars

Output

Read only

Output will appear here...

JWT Header Decoder extracts and displays the header section of a JSON Web Token. The header typically includes metadata such as the signing algorithm and token type.

How to Use

Paste the JWT token.
Click Run Tool.
The header section will be decoded.
Review the header JSON.

Example

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Output

Algorithm
alg     : HS256
family  : HMAC
hash    : SHA-256
min key : 256 bits
grade   : B  ████░ Good
HMAC with SHA-256. Symmetric — both parties share the same secret.
Recommendation:
  Ensure the secret is at least 32 bytes of cryptographically random data.
  Rotate secrets regularly.
  Avoid if the verifier is untrusted (symmetric = anyone who verifies can also forge)..

Token type
typ         : JWT
encrypted   : no (JWS)
nested      : no
compressed  : no
has key hint: no

Key guidance
Key format : Raw bytes (256-bit minimum)
Key store  : Environment variable or secrets manager — never in source code
Verify with: The same HMAC secret used to sign
JWKS       : Not applicable — HMAC is symmetric, public keys cannot be published

Header fields
alg         : "HS256"
  RFC 7515 §4.1.1 [security-relevant]
  Cryptographic algorithm used to sign or encrypt the token
typ         : "JWT"
  RFC 7519 §5.1
  Token type — 'JWT' for standard tokens, 'at+JWT' for OAuth access tokens

Raw header
{
  "alg": "HS256",
  "typ": "JWT"
}

Explanation

The JWT header contains metadata about the token including the algorithm used for signing and token type.

FAQ

What is the JWT header?

It contains metadata about the token.

What fields exist in the header?

Common fields include alg and typ.

Does decoding verify the token?

No it only displays the header content.

Is the header encrypted?

No it is Base64URL encoded.

Is this safe to use?

Yes decoding happens locally.

Can expired tokens be inspected?

Yes decoding does not depend on validity.

Related Tools

JWT Decoder Base64URL Decoder

Tool workspace

JWT Header Decoder

Decode JWT headers instantly. Inspect algorithm and token metadata from JSON Web Tokens.

jwt input

1 line0 chars

Output

Read only

Output will appear here...

JWT Header Decoder extracts and displays the header section of a JSON Web Token. The header typically includes metadata such as the signing algorithm and token type.

How to Use

Paste the JWT token.
Click Run Tool.
The header section will be decoded.
Review the header JSON.

Example

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Output

Algorithm
alg     : HS256
family  : HMAC
hash    : SHA-256
min key : 256 bits
grade   : B  ████░ Good
HMAC with SHA-256. Symmetric — both parties share the same secret.
Recommendation:
  Ensure the secret is at least 32 bytes of cryptographically random data.
  Rotate secrets regularly.
  Avoid if the verifier is untrusted (symmetric = anyone who verifies can also forge)..

Token type
typ         : JWT
encrypted   : no (JWS)
nested      : no
compressed  : no
has key hint: no

Key guidance
Key format : Raw bytes (256-bit minimum)
Key store  : Environment variable or secrets manager — never in source code
Verify with: The same HMAC secret used to sign
JWKS       : Not applicable — HMAC is symmetric, public keys cannot be published

Header fields
alg         : "HS256"
  RFC 7515 §4.1.1 [security-relevant]
  Cryptographic algorithm used to sign or encrypt the token
typ         : "JWT"
  RFC 7519 §5.1
  Token type — 'JWT' for standard tokens, 'at+JWT' for OAuth access tokens

Raw header
{
  "alg": "HS256",
  "typ": "JWT"
}

Explanation

The JWT header contains metadata about the token including the algorithm used for signing and token type.

FAQ

What is the JWT header?

It contains metadata about the token.

What fields exist in the header?

Common fields include alg and typ.

Does decoding verify the token?

No it only displays the header content.

Is the header encrypted?

No it is Base64URL encoded.

Is this safe to use?

Yes decoding happens locally.

Can expired tokens be inspected?

Yes decoding does not depend on validity.

Related Tools

JWT Decoder Base64URL Decoder