Forem: Максим Дмитрийчук The latest articles on Forem by Максим Дмитрийчук (@__318386c). https://forem.com/__318386c https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3709418%2F642f70b8-8c9c-44fc-a1d0-2c417c385266.jpg Forem: Максим Дмитрийчук https://forem.com/__318386c en Why I stopped decoding JWTs online Максим Дмитрийчук Tue, 13 Jan 2026 16:32:09 +0000 https://forem.com/__318386c/why-i-stopped-decoding-jwts-online-3e33 https://forem.com/__318386c/why-i-stopped-decoding-jwts-online-3e33 <p>I work with JWTs almost every day.</p> <p>At some point, I realized how often we casually paste real production tokens into online tools just to “quickly check something”.</p> <p>And that started to feel uncomfortable.</p> <h2> The problem with online JWT decoders </h2> <p>Most online JWT decoders are convenient.<br><br> They are also remote services.</p> <p>That means:</p> <ul> <li>your token leaves your machine</li> <li>you don’t really know how long it’s stored</li> <li>you don’t know who can access it</li> </ul> <p>Even if the service is “trusted”, copying sensitive auth data into a website is still a risk.</p> <h2> What I wanted instead </h2> <p>I wanted something:</p> <ul> <li>local</li> <li>simple</li> <li>fast</li> <li>always available in the browser</li> </ul> <p>Without sending tokens anywhere.</p> <h2> My solution </h2> <p>I ended up building a small Chrome extension that:</p> <ul> <li>automatically captures JWTs from requests</li> <li>decodes them locally</li> <li>shows headers, payload and claims in a readable format</li> </ul> <p>No servers. No tracking. No external calls.</p> <h2> Why this works better (for me) </h2> <ul> <li>safer for real-world tokens</li> <li>faster than copy-paste</li> <li>fits naturally into daily dev workflow</li> </ul> <p>If you’re curious, the project is open-source and available here:<br> 👉 <a href="https://github.com/softcoredevman/jwttokendecode" rel="noopener noreferrer">https://github.com/softcoredevman/jwttokendecode</a></p> <p>For convenience, it's also available in the Chrome Web Store:<br> 👉 <a href="https://chromewebstore.google.com/detail/jwt-token-decode/fijcephcnbnajgkaeiamgcbeddmdfmnl" rel="noopener noreferrer">https://chromewebstore.google.com/detail/jwt-token-decode/fijcephcnbnajgkaeiamgcbeddmdfmnl</a></p> <p>How do you usually inspect JWTs in your workflow?</p> javascript security webdev opensource