A JWT Decoder That Doesn't Phone Home

Sun, 19 Apr 2026 00:00:00 +0000

Every now and then I need to peek inside a JWT - debugging an auth flow, sanity-checking what scopes a CI service account actually has, or figuring out why a token is being rejected at 23:00 the night before a release. And every time, I’d catch myself reaching for whatever JWT decoder Google surfaced first, pasting in a token, and then immediately feeling slightly icky about it. That token might be a service credential. It might still be valid for another six hours. And I just handed it to some random subdomain.

Jwt on Widgita

A JWT Decoder That Doesn't Phone Home