Home / Blog / JWT Decode API
Tutorial

JWT Decode API: The Complete Guide

Published: January 12, 2026 · 6 min read

Need to decode JSON Web Tokens in your application? This guide covers everything you need to know about JWT decoding via API, including JWT structure, claims inspection, and implementation examples.

What is a JWT?

A JWT (JSON Web Token) is a compact, URL-safe means of representing claims between two parties. JWTs are commonly used for authentication and information exchange, encoded as a string of three Base64URL-encoded parts separated by dots.

Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U

JWT Structure

A JWT consists of three parts:

Header

Contains metadata about the token, including the algorithm used for signing (e.g., HS256, RS256).

Payload

Contains the claims - statements about the user and additional data. Common claims include sub, iat, exp, and iss.

Signature

Created by signing the encoded header and payload with a secret key. Used to verify the token's integrity.

Important: Decoding reveals the payload contents but does NOT verify the signature. Always verify tokens server-side before trusting the claims.

Using the JWT Decode API

TinyFn provides a simple endpoint to decode JWTs:

API Request 
POST https://api.tinyfn.io/v1/decode/jwt
Headers: X-API-Key: your-api-key
Content-Type: application/json

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}
Response 
{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "sub": "1234567890",
    "name": "John Doe",
    "iat": 1516239022
  },
  "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
  "is_expired": false
}

Parameters

Parameter Type Description
token string JWT token to decode (required)

Code Examples

JavaScript / Node.js

const response = await fetch('https://api.tinyfn.io/v1/decode/jwt', {
  method: 'POST',
  headers: {
    'X-API-Key': 'your-api-key',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ token: 'eyJhbGciOiJIUzI1...' })
});
const result = await response.json();
console.log(result.payload); // { sub: "1234567890", name: "John Doe", ... }

Python

import requests

response = requests.post(
    'https://api.tinyfn.io/v1/decode/jwt',
    json={'token': 'eyJhbGciOiJIUzI1...'},
    headers={'X-API-Key': 'your-api-key'}
)
result = response.json()
print(result['payload'])  # {"sub": "1234567890", "name": "John Doe", ...}

cURL

curl -X POST "https://api.tinyfn.io/v1/decode/jwt" \
  -H "X-API-Key: your-api-key" \
  -H "Content-Type: application/json" \
  -d '{"token": "eyJhbGciOiJIUzI1..."}'

Common Use Cases

  • Debugging: Inspect token contents during development
  • Client-side Display: Show user info from token payload
  • Token Analysis: Check expiration and claims
  • Security Auditing: Examine tokens for sensitive data exposure
  • Documentation: Display example token structures

Best Practices

  1. Never trust decoded data alone: Always verify signatures server-side
  2. Check expiration: Validate the exp claim before using token data
  3. Don't expose secrets: Never put sensitive data in JWT payloads
  4. Use HTTPS: Always transmit JWTs over encrypted connections

Try the JWT Decode API

Get your free API key and start decoding JWTs in seconds.

Get Free API Key

Related Articles

Ready to try TinyFn?

Get your free API key and start building in minutes.

Get Free API Key