Every now and then I need to peek inside a JWT - debugging an auth flow, sanity-checking what scopes a CI service account actually has, or figuring out why a token is being rejected at 23:00 the night before a release. And every time, I’d catch myself reaching for whatever JWT decoder Google surfaced first, pasting in a token, and then immediately feeling slightly icky about it. That token might be a service credential. It might still be valid for another six hours. And I just handed it to some random subdomain.
So one of the first things I built into the Widgita Toolbelt was a JWT decoder that runs entirely in the browser. Paste a token, get the header and payload split out cleanly, see when it expires (and whether it already has), and that’s it. No request leaves your machine for the decoding itself — the page is static HTML and a small chunk of vanilla JS. You can verify that yourself in the network tab, which is kind of the whole point.
It deliberately doesn’t verify signatures (that needs the issuer’s key and is a different problem), but for the 95% case of “what’s actually in this thing”, it’s the tool I keep open in a pinned tab.