← All projects

JWT Explorer

A privacy-first JWT decoder and explorer that runs entirely in the browser. Tokens are decoded locally with readable header and payload views, timestamp conversion, sample tokens, theme switching, and clipboard actions.

Role
Creator / Developer
Period
Open source
Team
Independent build
Stack
Astro · TypeScript · Tailwind CSS · JWT
Visit project ↗

Problem

JWTs are easy to create and awkward to inspect. During API development, teams often paste tokens into generic online tools just to check the header, payload, expiry time, or claim shape. That workflow is fast, but it creates a bad habit: sensitive tokens leave the local environment for a task that should not need a server at all.

The goal of JWT Explorer is to make token inspection feel immediate without normalising unsafe debugging behaviour. Paste a token, see the decoded parts, understand the timestamps, copy what you need, and keep the entire workflow inside the browser session.

Constraints

  • 100% client-side processing - tokens must never be sent to an API, analytics endpoint, or backend service.
  • Readable decoded output - header and payload data should be formatted for scanning, not dumped as a compressed string.
  • Clear token feedback - malformed tokens, missing sections, and expiry states need visible feedback while the user types.
  • Responsive developer utility - the interface has to stay useful on narrow screens, not just desktop monitors.
  • Static deployment - the app should build to static files and deploy cleanly to GitHub Pages or any static host.

Key decisions

  • Astro static shell - Astro keeps the delivery model simple: static HTML, CSS, and client-side TypeScript with no runtime server.
  • Local-only decoder - all parsing happens in the browser. The app treats privacy as a technical constraint, not a policy statement.
  • TypeScript parsing and checks - token handling is explicit and typed, with checks for token shape, JSON decode failures, expiry claims, and readable error states.
  • Separated header, payload, and signature views - each JWT section has its own copy action, making the tool useful during debugging without forcing the user to manually select JSON blocks.
  • Timestamp conversion - Unix timestamps such as exp, iat, and nbf are translated into human-readable dates so expiry issues can be spotted quickly.
  • Built-in sample tokens - sample data gives the interface a useful starting state and makes testing the tool possible without bringing a real token.
  • Dark and light themes - theme switching makes the utility comfortable in both terminal-heavy and browser-heavy workflows.

Outcome

JWT Explorer ships as a lightweight static app at satheez.github.io/jwt-decoder with source available on GitHub. It provides the common token-inspection workflow without requiring an account, backend, or network round trip after the app loads.

The main value is behavioural: it gives developers the convenience of a hosted decoder while keeping token data local to their machine.

What I’d do differently

The next step is clearer guidance around what a browser decoder can and cannot prove. JWT Explorer can parse token structure and inspect claims, but signature verification depends on the signing setup and trusted keys. Future versions should make that boundary more explicit, add JWK-based verification for supported flows, and improve diagnostics for invalid base64url and malformed JSON edge cases.