// tools
JWT decoder — no upload, runs in your browser
JWTs in the wild are often live session tokens. Pasting them into a server-side decoder leaves them in someone else's logs for a few seconds — small audit risk, real exposure. This page does the decode entirely client-side: open DevTools → Network and verify zero outbound requests fire when you paste.