Stop pasting JWTs into jwt.io

rmb — Wed, 03 Jun 2026 09:35:51 +0000

You're debugging an authentication issue. The frontend is getting a 403. You copy the JWT from the Authorization header, open jwt.io in a new tab, paste it in, and check the claims.

Most developers do this multiple times a week. I did too.

The problem: jwt.io is a third-party website. When you paste a token there, you're sending your authentication credential to their servers.

Here's what actually happens when you paste into jwt.io:

The token appears in their server logs. It's in the referrer headers if you navigated from somewhere. It may be in Cloudflare or CDN edge cache logs. Their servers receive it at minimum for the TLS handshake. You have no visibility into their logging or retention practices.

None of that is jwt.io's fault – they're a legitimate tool and they've been clear about their security model. The issue is that production tokens with real claims (user IDs, permission scopes, email addresses, or API credentials embedded in custom claims) probably shouldn't transit through third-party infrastructure at all.

Why it feels fine but isn't

JWT payloads are Base64url-encoded, not encrypted. The header and payload are readable to anyone. That's by design – JWTs are for integrity, not confidentiality. The signature is what prevents tampering; the contents are intentionally readable.

This means decoding a JWT doesn't require any server-side computation. Your browser can do it in one line.

Open your browser console right now and run:

const token = 'your.jwt.here'
const [header, payload] = token.split('.').slice(0, 2)
console.log(JSON.parse(atob(payload.replace(/-/g, '+').replace(/_/g, '/'))))

That's it. No library. No server. No upload. The entire decode operation happens in your browser's JavaScript runtime.

You can also do this:

// Paste this function anywhere
function decodeJWT(token) {
  const parts = token.split('.')
  const decode = str => JSON.parse(atob(str.replace(/-/g, '+').replace(/_/g, '/')))
  return {
    header: decode(parts[0]),
    payload: decode(parts[1]),
    signature: parts[2] // Can't decode without the secret key
  }
}

When tokens contain things that actually matter

The real risk isn't a short-lived access token for a public API. It's:

Service account tokens – Long-lived, often stored in CI/CD pipelines, granting broad API access
Refresh tokens embedded in JWTs – Some auth systems encode refresh credentials in custom claims
Internal service tokens – Tokens for your internal microservices that contain environment-specific URLs or config
Tokens with PII in claims – Email addresses, user IDs, phone numbers in the payload
Tokens used for high-privilege operations – Admin access, billing actions, data exports

For these, the transit risk is real. A compromised token for an internal admin service is more valuable to an attacker than you'd think.

The no-upload alternative

If you want a full UI with field labeling, expiration parsing, and copy buttons, there are client-side decoders that run entirely in your browser.

brevio JWT Decoder is one – it uses the same atob approach in the browser console, just with a UI. The difference from jwt.io: no network request is made when you decode. Open DevTools → Network tab and verify this yourself; you'll see no outbound request after the initial page load.

Squoosh, CyberChef (self-hosted), and browser extensions like jwt-inspector are other options in the "stays local" category.

The real question

When you copy a JWT from a production request and paste it somewhere, ask: what service did this token come from, what can it do, and how long is it valid?

If it's a 15-minute access token for read-only data on a public API, the risk is low. If it's a 24-hour admin token with write access to production data, pasting it into any external tool is a security incident waiting to happen.

The browser console one-liner takes three seconds and involves zero third parties. Default to that.

For developers who handle confidential files and sensitive data, brevio.pro offers browser-only tools for PDF processing, image compression, JSON formatting, and JWT decoding — nothing leaves your browser.

DEV Community: rmb

Stop pasting JWTs into jwt.io

Why it feels fine but isn't

When tokens contain things that actually matter

The no-upload alternative

The real question