Skip to main content

Endpoint

POST https://api.bunny.build/api/v1/jwt-decoder

Authentication

HeaderRequiredValue
X-API-KeyYesYour API key (bun_...)
Content-TypeYesapplication/json

Overview

Decode any JSON Web Token (JWT) and inspect its header, payload claims, and expiration metadata. This endpoint does not verify the signature; it decodes the token structure for debugging, logging, and display purposes.

Use cases

  • Debug token claims during development and integration testing
  • Display user metadata from a JWT in an admin panel
  • Log token details for audit trails without storing raw tokens
  • Inspect third-party tokens to understand their structure

Details

Decodes standard three-part JWTs (header.payload.signature). Signature verification is not performed. The raw signature string is returned alongside the decoded header and payload. Human-readable timestamps and token status flags are derived from standard claims and returned in a meta object.

Request body

FieldTypeRequiredDescription
tokenstringYesJWT string to decode

Example

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

Response

200 OK

FieldTypeDescription
headerobjectDecoded JWT header claims (e.g. alg, typ)
payloadobjectDecoded JWT payload claims
signaturestringRaw base64url-encoded signature segment (third part of the token)
metaobjectDerived metadata — see fields below
meta
FieldTypeDescription
algorithmstring | nullSigning algorithm from header.alg (e.g. "HS256")
typestring | nullToken type from header.typ (e.g. "JWT")
issued_atstring | nullISO 8601 timestamp derived from iat claim
expires_atstring | nullISO 8601 timestamp derived from exp claim
not_beforestring | nullISO 8601 timestamp derived from nbf claim
issuerstring | nullValue of the iss claim
subjectstring | nullValue of the sub claim
audiencestring | nullValue of the aud claim
expiredboolean | nullWhether the token is currently expired (null if no exp claim)
not_yet_validboolean | nullWhether the token is not yet valid per nbf (null if no nbf claim)
Example
{
  "header": { "alg": "HS256", "typ": "JWT" },
  "payload": {
    "sub": "1234567890",
    "name": "John Doe",
    "iat": 1516239022,
    "exp": 1893456000
  },
  "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
  "meta": {
    "algorithm": "HS256",
    "type": "JWT",
    "issued_at": "2018-01-18T01:30:22.000Z",
    "expires_at": "2029-12-31T00:00:00.000Z",
    "not_before": null,
    "issuer": null,
    "subject": "1234567890",
    "audience": null,
    "expired": false,
    "not_yet_valid": null
  }
}

401 Unauthorized

{
  "detail": "Missing API key. Include X-API-Key header."
}

402 Payment Required

{
  "detail": "Monthly quota exceeded. Upgrade your plan."
}

422 Unprocessable Entity

{
  "detail": "Invalid JWT format"
}

429 Too Many Requests

{
  "detail": "Rate limit exceeded. Try again in 60 seconds."
}

cURL example

curl -X POST https://api.bunny.build/api/v1/jwt-decoder \
  -H "X-API-Key: bun_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'