[{"data":1,"prerenderedAt":147},["ShallowReactive",2],{"post-jwt-debugging-without-exposing-tokens":3},{"id":4,"title":5,"body":6,"description":137,"extension":138,"meta":139,"navigation":141,"path":142,"seo":143,"sitemap":144,"stem":145,"__hash__":146},"blog/blog/jwt-debugging-without-exposing-tokens.md","How to Debug JWTs Without Exposing Your Tokens",{"type":7,"value":8,"toc":129},"minimark",[9,13,18,21,44,47,51,54,69,73,76,90,93,97],[10,11,12],"p",{},"JWT (JSON Web Tokens) are everywhere — authentication, authorization, API communication. Debugging them is a daily task. But pasting tokens into jwt.io means sending your auth data to a third-party server.",[14,15,17],"h2",{"id":16},"whats-inside-a-jwt","What's Inside a JWT",[10,19,20],{},"A JWT has three parts separated by dots:",[22,23,24,32,38],"ol",{},[25,26,27,31],"li",{},[28,29,30],"strong",{},"Header"," — algorithm and token type",[25,33,34,37],{},[28,35,36],{},"Payload"," — claims (user ID, roles, expiration)",[25,39,40,43],{},[28,41,42],{},"Signature"," — verification hash",[10,45,46],{},"The header and payload are just Base64-encoded JSON. Anyone can decode them. That's by design — JWTs aren't encrypted, they're signed.",[14,48,50],{"id":49},"why-online-jwt-debuggers-are-risky","Why Online JWT Debuggers Are Risky",[10,52,53],{},"When you paste a token into jwt.io or similar:",[55,56,57,60,63,66],"ul",{},[25,58,59],{},"The full token (including signature) is sent to their server",[25,61,62],{},"The payload may contain user IDs, email addresses, or permissions",[25,64,65],{},"If the token is still valid, someone could theoretically use it",[25,67,68],{},"Corporate security policies often prohibit this",[14,70,72],{"id":71},"safe-local-debugging","Safe Local Debugging",[10,74,75],{},"DevKitHub's JWT Debugger decodes tokens entirely on your machine:",[55,77,78,81,84,87],{},[25,79,80],{},"Decode header and payload instantly",[25,82,83],{},"View expiration time in human-readable format",[25,85,86],{},"Validate signature with your secret key (locally)",[25,88,89],{},"Check if token is expired",[10,91,92],{},"No network requests. No data leaves your device.",[14,94,96],{"id":95},"jwt-best-practices","JWT Best Practices",[55,98,99,105,111,117,123],{},[25,100,101,104],{},[28,102,103],{},"Keep payloads small"," — only include what you need",[25,106,107,110],{},[28,108,109],{},"Set short expiration times"," — 15-60 minutes for access tokens",[25,112,113,116],{},[28,114,115],{},"Use refresh tokens"," — longer-lived, stored securely",[25,118,119,122],{},[28,120,121],{},"Never store sensitive data in the payload"," — it's readable by anyone",[25,124,125,128],{},[28,126,127],{},"Validate on every request"," — don't trust the client",{"title":130,"searchDepth":131,"depth":131,"links":132},"",2,[133,134,135,136],{"id":16,"depth":131,"text":17},{"id":49,"depth":131,"text":50},{"id":71,"depth":131,"text":72},{"id":95,"depth":131,"text":96},"JWT tokens contain sensitive data. Learn how to decode and inspect them safely without pasting into online tools.","md",{"date":140},"2026-06-05",true,"/blog/jwt-debugging-without-exposing-tokens",{"title":5,"description":137},{"loc":142},"blog/jwt-debugging-without-exposing-tokens","JpB-S6nksneiVzzkVDC_4UPHTwjxgGxRUijs1ZVS_VI",1782010899902]