xtract.bot

POST /api/jwt-verify1 quota unit per call · cache hits free

Verify a JWT signature with HS256/HS384/HS512 and return the decoded claims. Catches expired, mis-issued, or wrong-audience tokens with a clear error.

Verifies a JWT against a shared secret and, on success, returns the decoded claims. On failure returns `{valid: false, reason}`. Verification covers: - Signature validity (HS256 / HS384 / HS512). - `exp` (expiry) and `nbf` (not-before) claims. - Optional `issuer` / `audience` checks if you supply them. Missing or extra claims are fine — only the ones you check are enforced.

Inputs

NameTypeDefaultDescription
jwt*stringThe JWT to verify (a `header.payload.signature` string).
secret*stringHMAC secret. Must match the one used to sign the token.
expectedAlgorithmenum (HS256 | HS384 | HS512)If set, the token's alg header must match. Recommended for production verifiers.
clockSkewSecondsnumber (0…3600)0Tolerance applied to exp and nbf checks (seconds).
ignoreExpirationbooleanfalseSkip the exp claim check.
ignoreNotBeforebooleanfalseSkip the nbf claim check.

Response

Modes: json. Cache: not cacheable.

Every response carries x-cache (HIT / MISS / BYPASS), x-cache-signature (stable across identical inputs), and the rate-limit headers listed below.

Quota & limits

Cost per call1 unit against the 10,000-unit monthly quota. Cache hits are free — only cache misses decrement.
Burst limit200 requests per rolling minute, shared across all tools.
Max request size64 KiB (base64 inflates file payloads ~33% — the limit applies to the decoded bytes).
Max response size64 KiB
Timeout5s wall clock.
Rate-limit headersX-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Burst-Limit on every response; X-Quota-Warning once 80% of the monthly quota is spent; Retry-After on 429s.

Errors

Errors are JSON with an error string; schema failures add a details object (Zod's flattened field errors).

StatusWhenBody
400Input fails the tool's schema (wrong type, missing required field, malformed base64) or the file bytes can't be parsed as the expected format.{ "error": "invalid inputs", "details": { "fieldErrors": { … } } }
401Missing or invalid X-Api-Key / X-Account-Id headers (or no session when called from the browser).{ "error": "unauthorized" }
404Unknown tool id, or calling /api/* on the website hostname instead of api.xtract.bot.{ "error": "not found" }
413Request body over the tool's max request size, or an image header declaring more megapixels than the tool's pixel budget.{ "error": "…exceeds maxRequestBytes…" }
415Content-Type isn't application/json on the json-body transport.{ "error": "unsupported content-type; expected application/json" }
429Monthly quota or the 200/min burst limit exhausted. Check Retry-After and the X-RateLimit-* headers.{ "error": "monthly quota exceeded", "monthRemaining": 0, … }
5xxConversion engine failure. Safe to retry; if it persists, the input is hitting a bug — please report it.{ "error": "…" }

Code samples

Built from the hs256-valid example.


curl -X POST https://api.xtract.bot/api/jwt-verify \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhYmMifQ.MIb6eKpdYqVdJlBJoxgs2etwnehc70Smm5oNQAkN35M",
  "secret": "secret",
  "expectedAlgorithm": "HS256",
  "ignoreExpiration": true
}'