What Is a JWT and What's Inside It?
If you're a developer, you're probably familiar with JWT (JSON Web Token).
It's the standard format used for authentication and authorization in
modern APIs.
A JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxN
TE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
It looks like random gibberish, but it's actually three parts separated
by dots (.):
- Header — the algorithm used to sign the token
- Payload — user data such as user ID, role, email, permissions
- Signature — used to verify the token hasn't been tampered with
⚠️ The Payload is only base64 encoded — not encrypted.
Anyone can decode it instantly.
What's the Problem?
When your JWT isn't working as expected, or you just want to peek
inside it, most developers do this...
Open Google, search "JWT decoder online", and paste the token in.
And that's exactly the problem.
What Kind of Data Is Inside Your JWT?
Here's a real-world example of what a Payload typically contains:
{
"sub": "usr_8f72kd92",
"email": "john.doe@company.com",
"role": "admin",
"org_id": "org_production_us_east",
"permissions": ["read:users", "write:users", "delete:records"],
"iat": 1716239022,
"exp": 1716325422
}
Your JWT payload might contain:
- ✉️ Email and full name of the user
- 🔑 Role and permissions such as admin, superuser
- 🏢 Organization ID or tenant ID of your company
- 🪪 User ID from your production database
- 📅 Expiration time — meaning the token is still active
What Can Online Decoders Do With Your Data?
When you paste a JWT into a random online decoder,
here's what can happen behind the scenes:
Your Token Gets Sent to Their Server
Most online tools process your token server-side —
not in your browser. The moment you hit decode,
your token has already left your machine.It Gets Logged
Servers log everything they receive — including your JWT.
That log could be stored for days, months, or indefinitely.Data Could Be Sold or Analyzed
Most "free" tools are free because your data is the product.Their Server Could Get Hacked
If the decoder site gets breached,
every token stored in their logs is exposed — including yours.
Real Scenarios Where This Goes Wrong
Scenario 1: Production Token
You're debugging a production issue, copy a JWT from a request header,
and paste it into a decoder. That token is still valid,
has admin-level permissions, and just left your network.
Scenario 2: A Client's Token
You're a freelancer and your client sends you a token to debug.
Your client's user data is now sitting on a third-party server
you know nothing about.
Scenario 3: Your Whole Dev Team
Your team uses the same online decoder every day.
Tokens from every environment — dev, staging, production —
are being logged in one place you don't control.
The Safe Alternative
Option 1: Use the Command Line
Decode the payload of a JWT
echo "eyJzdWIiOiIxMjM0NTY3ODkwIn0" | base64 -d
Works, but hard to read and not practical for daily use.
Option 2: Use a Tool That Runs 100% In Your Browser
inspectly.dev/jwt — a JWT Analyzer that:
- ✅ Runs 100% in your browser — nothing is ever sent to a server
- ✅ Decodes header, payload, and signature with syntax highlighting
- ✅ Automatically checks token expiration
- ✅ Flags security issues in your token
- ✅ Free, no sign-up required
- ✅ Works offline after first load
The Simple Rule
▎ If the token comes from staging or production —
▎ never paste it into a tool you don't trust.
It takes 10 seconds to open a safe alternative.
It could take months to recover from a leaked admin token.
👉 Try it now at inspectly.dev/jwt
— free, no sign-up, 100% private.
Found this useful? Share it with your team —
especially anyone who works with JWTs daily. 🙏
Have questions or feedback? Drop a comment below.
Top comments (0)