CorexoTools

JWT Decoder

Decode JSON Web Tokens — inspect header, payload, and expiry. Runs entirely in your browser.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims transferred between two parties. It consists of three base64url-encoded parts separated by dots: a header, a payload, and a signature. JWTs are widely used for authentication and information exchange in REST APIs and single-page applications.

How to Decode a JWT

  1. Copy a JWT from your browser DevTools, Authorization header, or code.
  2. Paste it into the input field above.
  3. Click Decode to see the header, payload, and signature.
  4. Check the exp claim to see when the token expires.

Common JWT Claims

subSubject — the user or entity the token refers to.
issIssuer — who created and signed the token.
expExpiration time — when the token expires (Unix timestamp).
iatIssued at — when the token was created.
nbfNot before — the token is invalid before this time.

Decoding vs. Verifying — An Important Difference

This is the single most misunderstood point about JWTs, so it is worth being precise. The header and payload of a JWT are only base64url-encoded, not encrypted. Encoding is not secrecy — anyone who has the token can decode it and read every claim inside, exactly as this tool does. That is why you must never put a password, an API secret, or other sensitive data in a JWT payload.

What protects a JWT is the signature, the third part. The signature is created by the issuer using a secret key (or a private key) and proves two things: that the token was issued by a trusted party, and that the payload has not been altered since. Decoding shows you the contents; verifying checks the signature against the key. A decoder like this one lets you inspect a token while debugging — to see who it is for, what scopes it carries, and when it expires — but it deliberately does not verify the signature. Real verification must happen on your server with the correct secret or public key, because that key must never reach the browser.

Frequently Asked Questions

Is a JWT encrypted?

No. A standard JWT is encoded, not encrypted. Anyone holding the token can read the header and payload. Never store secrets in a JWT — only put data you are comfortable with the client seeing.

Does this tool check if my token is valid?

It decodes the token and shows the exp claim so you can see whether it has expired, but it does not verify the cryptographic signature. Signature verification requires the secret or public key and must be done on your backend.

Why does my token have three parts separated by dots?

A JWT is always header.payload.signature. Each part is base64url-encoded separately. The dots let a parser split the three sections quickly without ambiguity.

Is my token sent anywhere?

No. Decoding happens entirely in your browser using standard JavaScript. The token you paste is never transmitted to any server or stored.