📊JSON / Data📝Text / Strings💻HTML / Code🔄Converters🔐Tokens / Security⚙️Generators👁️Viewers / Lookup
🔐JWT Decoder⏱️JWT Expiry Checker📋JWT Header Viewer#️⃣Hash Generator🔑HMAC Generator🛡️Password Strength Checker

JWT Header Viewer

View JWT header information instantly. See algorithm, token type, and more.

How to View JWT Header

  • Paste your JWT token into the input field
  • Click "View Header" to inspect the header section
  • See the algorithm used for signing
  • Check the token type and other claims
  • Understand header parameters like kid (Key ID)
  • Copy header information for debugging

Understanding JWT Header

📋 Header Structure

The JWT header contains metadata about the token:

  • alg: Algorithm (HS256, RS256, etc.)
  • typ: Token type (usually "JWT")
  • kid: Key ID (for key rotation)

🔐 Common Algorithms

  • HS256: HMAC with SHA-256
  • RS256: RSA with SHA-256
  • ES256: ECDSA with SHA-256
  • none: No signature (avoid!)

Explore Other Token Tools

🔐JWT Decoder

Use Tool →

⏱️JWT Expiry Checker

Use Tool →

#️⃣Hash Generator

Use Tool →

🔑HMAC Generator

Use Tool →

🛡️Password Strength Checker

Use Tool →

Frequently Asked Questions

What is the JWT header?

The JWT header is the first part of a JWT token that contains metadata about how the JWT was signed. It's a JSON object that's Base64URL-encoded and typically includes the algorithm type and token type.

What does alg mean in JWT header?

The "alg" (algorithm) parameter specifies the cryptographic algorithm used to sign the JWT. Common values include HS256 (HMAC SHA-256), RS256 (RSA SHA-256), and ES256 (ECDSA SHA-256).

Should I use RS256 or HS256?

Use HS256 for simple scenarios where the same secret is used for signing and verification. Use RS256 when you need asymmetric encryption (public key verification, private key signing), which is better for distributed systems and public APIs.

What is the kid field in JWT header?

The "kid" (key ID) parameter helps identify which key was used to sign the JWT. This is essential for key rotation - you can have multiple active keys and the kid tells the server which public key to use for verification.

Is the JWT header encrypted?

No, the JWT header is only Base64URL-encoded, not encrypted. Anyone can decode it and read its contents. Never put sensitive information in the header. JWTs can be encrypted (JWE), but standard JWTs (JWS) are only signed.

What is the JOSE header?

JOSE (JSON Object Signing and Encryption) is the standard that defines the JWT header structure. The JWT header is technically called the JOSE header and follows specifications defined in RFC 7515 (JWS) and RFC 7516 (JWE).

Why is alg none dangerous?

The "none" algorithm means the JWT has no signature, making it trivial to forge. Attackers can create tokens with any payload. Always reject tokens with alg=none in production systems and configure your JWT library to disallow it.

Can I add custom fields to JWT header?

Yes, you can add custom header parameters, but they should follow JOSE specifications. Common custom fields include kid, x5t (X.509 certificate thumbprint), and jku (JWK Set URL). Avoid adding unnecessary data to keep tokens small.

What is the typ field in JWT header?

The "typ" (type) parameter declares the media type of the JWT. It's typically set to "JWT" but can be omitted as JWT is implied. Some systems use "at+jwt" for access tokens or "JWT" for general tokens.

How do I verify JWT signature?

The header's alg field tells you which algorithm to use. For HS256, use the shared secret key. For RS256/ES256, use the public key. Concatenate the encoded header and payload with a dot, apply the algorithm, and compare with the signature.

JWT Header Tutorial

The JWT header, also known as the JOSE (JSON Object Signing and Encryption) header, contains critical information about how the JWT is processed and validated.

Header Processing

  1. Server receives JWT token
  2. Splits token into header, payload, signature
  3. Base64URL-decodes the header
  4. Reads alg parameter to determine verification method
  5. Retrieves appropriate key (using kid if present)
  6. Verifies signature using specified algorithm
  7. Processes payload if signature valid

Algorithm Types

  • HMAC (HS): Symmetric
  • RSA (RS): Asymmetric
  • ECDSA (ES): Asymmetric
  • RSASSA-PSS (PS): Asymmetric
  • EdDSA: Curve25519

Optional Headers

  • kid: Key identifier
  • jku: JWK Set URL
  • x5t: X.509 thumbprint
  • x5c: X.509 chain
  • cty: Content type

Security Tips

  • • Reject alg=none
  • • Validate alg whitelist
  • • Don't trust header blindly
  • • Verify key ID (kid)
  • • Use strong algorithms

Header Best Practices

✅ DO

  • ✓ Use RS256 for public APIs
  • ✓ Include kid for key rotation
  • ✓ Validate algorithm whitelist
  • ✓ Keep headers minimal
  • ✓ Use strong signature algorithms
  • ✓ Document your algorithm choice
  • ✓ Version your keys

❌ DON'T

  • ✗ Don't use alg=none
  • ✗ Don't put sensitive data in header
  • ✗ Don't skip algorithm validation
  • ✗ Don't use weak algorithms
  • ✗ Don't trust header without verification
  • ✗ Don't hardcode algorithm names
  • ✗ Don't ignore security advisories

Learning Resources

RFC 7515 - JWS (JSON Web Signature)— Official JOSE header specification

JWT.io - Algorithm Guide— Comprehensive JWT algorithm documentation

Auth0 - JWT Security Vulnerabilities— Understanding JWT header attacks

RFC 7518 - JWA (JSON Web Algorithms)— Detailed algorithm specifications

Contact Us

Have questions about JWT headers? We're here to help!

Get In Touch

Send us a message for assistance with JWT tokens.

Contact Us

We respond to all inquiries within 24-48 hours.