I work with JWTs almost every day.
At some point, I realized how often we casually paste real production tokens into online tools just to “quickly check something”.
And that started to feel uncomfortable.
The problem with online JWT decoders
Most online JWT decoders are convenient.
They are also remote services.
That means:
- your token leaves your machine
- you don’t really know how long it’s stored
- you don’t know who can access it
Even if the service is “trusted”, copying sensitive auth data into a website is still a risk.
What I wanted instead
I wanted something:
- local
- simple
- fast
- always available in the browser
Without sending tokens anywhere.
My solution
I ended up building a small Chrome extension that:
- automatically captures JWTs from requests
- decodes them locally
- shows headers, payload and claims in a readable format
No servers. No tracking. No external calls.
Why this works better (for me)
- safer for real-world tokens
- faster than copy-paste
- fits naturally into daily dev workflow
If you’re curious, the project is open-source and available here:
👉 https://github.com/softcoredevman/jwttokendecode
For convenience, it's also available in the Chrome Web Store:
👉 https://chromewebstore.google.com/detail/jwt-token-decode/fijcephcnbnajgkaeiamgcbeddmdfmnl
How do you usually inspect JWTs in your workflow?
Top comments (1)
I also published this article on Hashnode:
softcoredevman.hashnode.dev/why-i-...