DevFormat
Language
View on GitHub

Inspect JWT Header & Algorithm

Instantly view the cryptographic algorithm and header metadata of your JWT locally.

Processed in-browser. Private & Secure.
Paste JWT to Decode
0 chars
Header Metadata
0 chars

Related Tools

Offline JWT Decoder (No Server Logs)Jump to tool
Check JWT Expiration OnlineJump to tool
JWT to JSON ConverterJump to tool
Secure Multi-Hash Generator (MD5, SHA-256)Jump to tool
ADVERTISEMENT
JWT Structure DiagramRFC 7519
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJBbGljZSIsImV4cCI6MTcwOTQwMDAwMH0
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

Base64URL encoded

Contains the token type (JWT) and signing algorithm (e.g. HS256, RS256).

Payload

Base64URL encoded

Contains claims: sub, iat, exp, user roles, and custom data.

Signature

HMAC / RSA signed

Ensures integrity. Cannot be forged without the secret key.

⚠️

The Header and Payload are NOT encrypted — they are simply Base64URL encoded. Anyone holding the token can read them. Only the Signature guarantees authenticity.

Anatomy of a JSON Web Token (JWT) — Header, Payload, and Signature

JWT Security: Cryptographic Algorithms (HS256 vs RS256)

HS256 vs. RS256: Symmetric vs. Asymmetric

The 'alg' claim in your JWT header defines how the token was signed. HS256 uses a single shared secret, while RS256 uses a private/public key pair (RSA). Auditing this header is critical for developers to ensure they aren't accidentally using insecure defaults. A common vulnerability is the 'none' algorithm, where a server might accept unsigned tokens if the header is maliciously modified.

Detecting Infrastructure Patterns

The header also includes the 'kid' (Key ID) and 'typ' (Type), which tell your authentication server which part of the infrastructure should handle the validation. Verifying these fields locally allows you to debug 'Signature Invalid' errors without exposing your token lifecycle or key management patterns to third-party logs.

ADVERTISEMENT