DEV Community

Cover image for Dont decode JWT on random sites - verify if they are sending it to backend servers! How though?
Ramsudharsan Manoharan
Ramsudharsan Manoharan

Posted on • Originally published at toolstray.com

Dont decode JWT on random sites - verify if they are sending it to backend servers! How though?

#programming #productivity #javascript #security

A JWT usually carries who you are and what you're allowed to do. When you debug one, you tend to paste the whole token into the first "JWT decoder" search result — and a lot of those sites send that token straight to their own server to decode it. For a throwaway test token that's harmless. For a real access token from staging or production, you've just handed a stranger a working credential.

You don't have to guess which kind of site you're on. Here's how I check.

Why a JWT decoder can be risky

A JWT isn't encrypted — it's signed. The header and payload are just Base64URL-encoded JSON, so anything that can read the token can read every claim inside it: user id, email, roles, expiry, sometimes more. If the token hasn't expired, it's still usable. A decoder that ships your token off to a backend has, for a moment, a valid credential in its logs.

How to check what a decoder does with your token

Open your browser's dev tools, go to the Network tab, clear it, then paste a token into the decoder. Watch what happens:

  • No request fires → the page decoded it in your browser. Safe.
  • A request fires with your token in the URL or POST body → it went to their server.

That's the whole test. It takes about ten seconds and it's the only way to know for sure, regardless of what the marketing copy claims.

You can decode the payload yourself

A JWT is three Base64URL chunks joined by dots: header.payload.signature. The first two are just JSON. You can decode either part with any Base64 tool — no special "JWT" service required:

const [header, payload] = token.split(".");
console.log(JSON.parse(atob(payload.replace(/-/g, "+").replace(/_/g, "/"))));
Enter fullscreen mode Exit fullscreen mode

Once you've seen that it's only Base64, the "send it to our server to decode" sites stop making sense. There's nothing on the server that your browser can't do.

Decode it locally instead

This is exactly why ToolsTray JWT decoder runs entirely in the browser — paste a token, read the claims, and nothing leaves the tab. It's the same convenience as the popular sites without the token ever crossing the network.

Before you paste: never share the signing secret

Reading the payload is safe. Verifying the signature is where people leak the thing that actually matters.

Verifying a JWT needs the signing secret or private key. Never paste that into a website — a secret is far more sensitive than a single token. Verify signatures locally, or in code you control.

Top comments (0)