Your JWT decoder might be leaking your tokens. Here's how to check.
Most developers paste production JWTs into online decoders without thinking. Here's a 10-second DevTools check to see if your token is actually leaving your machine. A coworker was debugging an auth bug last month. Standard workflow: copy the JWT from the failing request, paste it into an online decoder, read the payload. I've done it a thousand times. You probably have too. Except the token he pasted belonged to a real customer. And the decoder he used is owned by an identity company that's had its share of security incidents. Nothing bad happened. Probably. But it made me think about something I'd never actually checked: when you paste a JWT into an online decoder, where does that token go? What a JWT actually contains Quick reminder of why this matters. A JWT isn't encrypted — it's just Base64URL-encoded. Anyone who has the token can read everything in it: header.payload.signature The payload routinely contains: User ID, email, and role Session identifiers Token expiry ( exp ) and issue time ( iat ) Sometimes — against best practice — far more And here's the part people forget: a valid, unexpired JWT is a live credential. If it hasn't expired, whoever holds it can often impersonate the user. Pasting it into a random website is functionally similar to pasting a password. The 10-second check Most online JWT decoders claim to be "secure" and "client-side." Some are. Some aren't. You don't have to trust the claim — you can verify it yourself in 10 seconds: Open the decoder in your browser Open DevTools → Network tab Clear the network log Paste a JWT and decode it Watch the Network tab If any request fires when you decode — your token left your machine. A truly client-side decoder fires zero network requests during decoding. The JavaScript does everything locally; nothing is sent anywhere. Try this on whatever decoder you currently use. You might be surprised. Why most "online" tools send data It's usually not malicious. Building decoding logic on the server is someti