JWT DecoderJWT Decoder API

OnlineCredit Usage:1 per callRefreshed 1 month ago
avg: 219ms|p50: 207ms|p75: 227ms|p90: 251ms|p99: 298ms

Overview

To use JWT Decoder, you need an API key. You can get one by creating a free account and visiting your dashboard.

POST Endpoint

URL
https://api.apiverve.com/v1/jwtdecoder

Example

How to call the JWT Decoder API in different programming languages.

cURL Request
curl -X POST \
  "https://api.apiverve.com/v1/jwtdecoder" \
  -H "X-API-Key: your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}'
JavaScript (Fetch API)
const response = await fetch('https://api.apiverve.com/v1/jwtdecoder', {
  method: 'POST',
  headers: {
    'X-API-Key': 'your_api_key_here',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
})
});

const data = await response.json();
console.log(data);
Python (Requests)
import requests

headers = {
    'X-API-Key': 'your_api_key_here',
    'Content-Type': 'application/json'
}

payload = {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

response = requests.post('https://api.apiverve.com/v1/jwtdecoder', headers=headers, json=payload)

data = response.json()
print(data)
Go (net/http)
package main

import (
    "fmt"
    "io"
    "net/http"
    "bytes"
    "encoding/json"
)

func main() {
    payload := map[string]interface{}{
        "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
    }

    jsonPayload, _ := json.Marshal(payload)
    req, _ := http.NewRequest("POST", "https://api.apiverve.com/v1/jwtdecoder", bytes.NewBuffer(jsonPayload))

    req.Header.Set("X-API-Key", "your_api_key_here")
    req.Header.Set("Content-Type", "application/json")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()

    body, _ := io.ReadAll(resp.Body)
    fmt.Println(string(body))
}
Example Response
{
  "status": "ok",
  "error": null,
  "data": {
    "header": {
      "alg": "HS256",
      "typ": "JWT"
    },
    "payload": {
      "sub": "1234567890",
      "name": "John Doe",
      "iat": 1516239022
    },
    "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
    "isExpired": false,
    "expiresAt": null,
    "issuedAt": "2018-01-18T01:30:22.000Z",
    "tokenAge": "2557 days",
    "algorithm": "HS256",
    "expiresIn": null,
    "notYetValid": false,
    "securityAnalysis": {
      "isUnsecured": false,
      "hasExpiration": false,
      "isLongLived": false,
      "issues": [
        "Token has no expiration (exp) claim — it never expires"
      ]
    },
    "warning": "This API only decodes JWT tokens. It does NOT verify signatures. Do not use for security validation."
  }
}

Authentication

The JWT Decoder API requires authentication via API key. Include your API key in the request header:

Required Header
X-API-Key: your_api_key_here

Learn more about authentication →

Interactive API Playground

Test the JWT Decoder API directly in your browser with live requests and responses.

Parameters

The following parameters are available for the JWT Decoder API:

Decode JWT Token

ParameterTypeRequiredDescriptionDefaultExample
tokenstringrequired
JWT token to decode
-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Response

The JWT Decoder API returns responses in JSON, XML, YAML, and CSV formats. The JSON response is shown in the Example section above; alternative formats below.

Other Response Formats

XML Response
200 OK
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <status>ok</status>
  <error xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
  <data>
    <header>
      <alg>HS256</alg>
      <typ>JWT</typ>
    </header>
    <payload>
      <sub>1234567890</sub>
      <name>John Doe</name>
      <iat>1516239022</iat>
    </payload>
    <signature>SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c</signature>
    <isExpired>false</isExpired>
    <expiresAt xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
    <issuedAt>2018-01-18T01:30:22.000Z</issuedAt>
    <tokenAge>2557 days</tokenAge>
    <algorithm>HS256</algorithm>
    <expiresIn xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
    <notYetValid>false</notYetValid>
    <securityAnalysis>
      <isUnsecured>false</isUnsecured>
      <hasExpiration>false</hasExpiration>
      <isLongLived>false</isLongLived>
      <issues>
        <issue>Token has no expiration (exp) claim — it never expires</issue>
      </issues>
    </securityAnalysis>
    <warning>This API only decodes JWT tokens. It does NOT verify signatures. Do not use for security validation.</warning>
  </data>
</response>
YAML Response
200 OK
status: ok
error: null
data:
  header:
    alg: HS256
    typ: JWT
  payload:
    sub: '1234567890'
    name: John Doe
    iat: 1516239022
  signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
  isExpired: false
  expiresAt: null
  issuedAt: '2018-01-18T01:30:22.000Z'
  tokenAge: 2557 days
  algorithm: HS256
  expiresIn: null
  notYetValid: false
  securityAnalysis:
    isUnsecured: false
    hasExpiration: false
    isLongLived: false
    issues:
      - Token has no expiration (exp) claim — it never expires
  warning: >-
    This API only decodes JWT tokens. It does NOT verify signatures. Do not use
    for security validation.
CSV Response
200 OK
keyvalue
header{alg:HS256,typ:JWT}
payload{sub:1234567890,name:John Doe,iat:1516239022}
signatureSflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
isExpiredfalse
expiresAt
issuedAt2018-01-18T01:30:22.000Z
tokenAge2557 days
algorithmHS256
expiresIn
notYetValidfalse
securityAnalysis{isUnsecured:false,hasExpiration:false,isLongLived:false,issues:[Token has no expiration (exp) claim — it never expires]}
warningThis API only decodes JWT tokens. It does NOT verify signatures. Do not use for security validation.

Response Structure

All API responses follow a consistent structure with the following fields:

FieldTypeDescriptionExample
statusstringIndicates whether the request was successful ("ok") or failed ("error")ok
errorstring | nullContains error message if status is "error", otherwise nullnull
dataobject | nullContains the API response data if successful, otherwise null{...}

Learn more about response formats →

Response Data Fields

When the request is successful, the data object contains the following fields:

Response fields marked with Premium are available exclusively on paid plans.View pricing
FieldTypeSample ValueDescription
headerobject{...}
-
algstring"HS256"
-
typstring"JWT"
-
payloadobject{...}
-
substring"1234567890"
-
namestring"John Doe"
-
iatnumber1516239022
-
signaturestring"SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
-
isExpiredbooleanfalse
-
expiresAtobjectnull
-
issuedAtstring"2018-01-18T01:30:22.000Z"
ISO timestamp of when the token was issued (from iat claim)
tokenAgePremiumstring"2557 days"
Human-readable age of the token
algorithmstring"HS256"
Signing algorithm declared in the token header (alg)
expiresInobjectnull
Seconds until the token expires; negative once expired, null if there is no exp claim
notYetValidbooleanfalse
Whether the token's not-before (nbf) claim is still in the future
securityAnalysisPremiumobject{...}
Structural security assessment of the token: unsigned (alg:none) detection, missing expiration, over-long lifetime, and a list of issues. Does not verify the signature.
isUnsecuredbooleanfalse
-
hasExpirationbooleanfalse
-
isLongLivedbooleanfalse
-
issuesarray["Token has no expiration (exp) claim — it never expires"]
-

Headers

Only X-API-Key is required. Optional headers include Accept for response format negotiation (JSON, XML, or YAML), User-Agent, and X-Request-ID for request tracing. See all request headers →

GraphQL AccessALPHA

Access JWT Decoder through GraphQL to combine it with other API calls in a single request. Query only the jwt decoder data you need with precise field selection, and orchestrate complex data fetching workflows.

Test JWT Decoder in the GraphQL Explorer to confirm availability and experiment with queries.

Credit Cost: Each API called in your GraphQL query consumes its standard credit cost.

GraphQL Endpoint
POST https://api.apiverve.com/v1/graphql
GraphQL Query Example
query {
  jwtdecoder(
    input: {
      token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
    }
  ) {
    header {
      alg
      typ
    }
    payload {
      sub
      name
      iat
    }
    signature
    isExpired
    expiresAt
    issuedAt
    tokenAge
    algorithm
    expiresIn
    notYetValid
    securityAnalysis {
      isUnsecured
      hasExpiration
      isLongLived
      issues
    }
    warning
  }
}

Note: Authentication is handled via the x-api-key header in your GraphQL request, not as a query parameter.

CORS Support

The JWT Decoder API accepts cross-origin requests from any origin, so it can be called directly from browser-based applications without a proxy. See CORS support →

Rate Limiting

JWT Decoder requests are throttled per minute on the Free plan and unthrottled on paid plans. Exceeding the limit returns 429 Too Many Requests; rate-limit usage is reported in the X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset response headers. See per-plan limits and best practices →

Error Codes

The JWT Decoder API uses standard HTTP status codes — 200 on success, 400 for invalid parameters, 401 for missing or invalid keys, 403 for insufficient credits, 429 for rate-limit exhaustion, and 500/503 for server-side issues. Each error response includes an X-Request-ID header you can quote when contacting support. See full error handling guide →

SDKs for JWT Decoder

Official JWT Decoder packages on npm, PyPI, NuGet, and JitPack — plus a Postman collection and an OpenAPI spec. See the SDK guide →

No-Code Integrations

JWT Decoder works with Zapier, Make, Pipedream, n8n, and Power Automate using the same API key. See setup guides →

Frequently Asked Questions

How do I get an API key for JWT Decoder?
Sign up for a free account at dashboard.apiverve.com. Your API key will be automatically generated and available in your dashboard. The same key works for JWT Decoder and all other APIVerve APIs. The free plan includes 1,000 credits plus a 500 credit bonus.
How many credits does JWT Decoder cost?

Each successful JWT Decoder API call consumes credits based on plan tier. Check the pricing section above for the exact credit cost. Failed requests and errors don't consume credits, so you only pay for successful jwt decoder lookups.

Can I use JWT Decoder in production?

The free plan is for testing and development only. For production use of JWT Decoder, upgrade to a paid plan (Starter, Pro, or Mega) which includes commercial use rights, no attribution requirements, and guaranteed uptime SLAs. All paid plans are production-ready.

Can I use JWT Decoder from a browser?
Yes! The JWT Decoder API supports CORS with wildcard configuration, so you can call it directly from browser-based JavaScript without needing a proxy server. See the CORS section above for details.
What happens if I exceed my JWT Decoder credit limit?

When you reach your monthly credit limit, JWT Decoder API requests will return an error until you upgrade your plan or wait for the next billing cycle. You'll receive notifications at 80% and 95% usage to give you time to upgrade if needed.

What's Next?

Continue your journey with these recommended resources

Was this page helpful?