JWT decode

POST /api/jwt-decode

Decode a JWT into its header, payload, and signature parts without verifying the signature. Useful for debugging tokens you do not have the verification key for.

Splits a JWT (`header.payload.signature`), base64url-decodes the first two parts, and returns them as JSON. Convenience fields are added on top: - `expired`: based on `exp` claim vs current time. - `expiresInSeconds`: time remaining until expiry. - `algorithm`: from the header. This tool does NOT verify the signature — that needs the secret (HS256/384/512) or public key (RS256/etc.). Use `jwt-verify` when authenticity matters; this one is for debugging and inspection only.

Inputs

Name	Type	Default	Description
token*	string	—	JWT in `header.payload.signature` form.

Response

Modes: json. Cache: yes (24h TTL).

Code samples

Built from the demo example.


curl -X POST https://api.xtract.bot/api/jwt-decode \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}'