DEV Community

Danny Cranmer
Danny Cranmer

Posted on

How to Debug JWT Tokens Without Sending Them to a Server

#jwt #security #webdev #privacy

Every developer has pasted a JWT into jwt.io at some point. But have you thought about what happens to that token?

JWT tokens contain sensitive information — user IDs, roles, permissions, expiration times. Some even contain email addresses and names in custom claims. When you paste one into a web-based decoder, that token is often sent to a server for processing.

Why This Matters

A JWT token is essentially a signed JSON object. The header and payload are just Base64-encoded — anyone can decode them. But the act of sending your production token to a third-party server means:

  • Your user data is exposed to that service
  • The token could be logged, cached, or stored
  • If the token hasn't expired, it could theoretically be reused

The Client-Side Alternative

I built a JWT decoder that runs entirely in your browser. No server calls. No analytics on your tokens. Just paste → decode → done.

Try it: DevToolbox JWT Decoder

Here's what it shows you:

  • Header — Algorithm, token type
  • Payload — All claims, beautifully formatted
  • Expiration — Human-readable "expires in X hours" with visual indicator
  • Signature — Verification status

How JWT Decoding Works (No Server Needed)

A JWT has three parts separated by dots: header.payload.signature

// That's literally all client-side decoding takes
const [header, payload, signature] = token.split('.');
const decodedHeader = JSON.parse(atob(header));
const decodedPayload = JSON.parse(atob(payload));
Enter fullscreen mode Exit fullscreen mode

The header and payload are just Base64-encoded JSON. Your browser can decode them instantly — no server round-trip needed.

Other Tools That Don't Need Your Data

DevToolbox has 19 developer tools that all work the same way — entirely in your browser:

  • JSON Formatter — Format, validate, minify JSON
  • Base64 Encoder/Decoder — Encode and decode Base64
  • Regex Tester — Test patterns with real-time highlighting
  • Hash Generator — SHA-256, MD5, and more
  • URL Encoder/Decoder — Handle URL-encoded strings
  • QR Code Generator — Generate QR codes for URLs, text, WiFi, and more
  • Password Generator — Secure passwords with customizable rules

All free, no signup, no tracking: DevToolbox

Do you check where your dev tools send your data? I'd love to hear what tools you've found that respect your privacy.

Top comments (0)