Decoding JWTs Safely Without Sending Them to a Server
Pasting a JWT into the wrong online decoder hands its payload to whoever runs that site. A primer on what JWTs leak and how to inspect them safely.
JWTs feel opaque so people treat them like opaque blobs. They aren't. The middle segment is just base64-encoded JSON, and the JSON usually contains user IDs, email addresses, role assignments, tenant identifiers, and sometimes much more. Pasting that into a random online decoder hands the contents to whoever runs that site.
This matters more than people realize because JWTs leak in a few predictable ways. Engineers paste them into Slack while debugging. They end up in screenshots that get filed in tickets. They get pasted into ChatGPT and Cursor. And, the original sin, they get pasted into 'jwt.io clones' that may or may not be logging every paste.
The fix is to decode them in your browser. The decoding itself is trivial — split on '.', base64-decode the first two segments, parse as JSON. Any half-decent JWT decoder runs entirely client-side because there's nothing about decoding that needs a server. (Verifying the signature is a different matter and requires the public key, but signature verification is rarely the reason someone is pasting a token into a tool.)
Things to actually look at when inspecting a JWT:
— alg in the header. If it's 'none', the token is unsigned and not safe to trust. If it's HS256, the secret is shared and the issuer can verify it. If it's RS256 or ES256, signing is asymmetric and only the holder of the private key could have produced it.
— exp claim. Unix timestamp. A surprising number of bug reports come down to clock skew between client and server, or tokens that look valid but are 12 minutes past their expiry.
— iat / nbf. Issued-at and not-before timestamps. Sometimes useful for replay protection.
— aud and iss. Audience and issuer. If a service accepts tokens with the wrong audience, you've got a confused-deputy problem.
— Custom claims. Read these. They often contain the user ID, organization ID, role list, and feature flags. If you see PII like full names or email addresses, your security team probably wants to know.
Our JWT decoder runs in your browser, displays each segment with its parsed JSON, and never transmits the token anywhere. If you must paste a token into a tool to debug, paste it into a tool you've network-tabbed to verify it isn't phoning home.