Existing Coverage Check
Reviewed before proposing:
This is net-new. JWT decoding is explicitly listed as a research focus in AGENTS.md ("JWT decoders") and has no existing spec, issue, or live tool in this repo.
Specify Draft Summary
Proposed spec path: specs/004-jwt-decoder/spec.md
Problem: Developers working with authentication systems need to inspect JWT tokens frequently — checking expiry (exp), issuer (iss), subject (sub), custom claims, and header algorithm. The dominant tool is jwt.io (by Auth0 / Okta), but it sends pasted tokens to their servers for processing and logs traffic — a real concern when developers are debugging production tokens that may contain user IDs, role claims, or session data. Auth company tools (FusionAuth, Logto, Kinde, SuperTokens) all operate JWT decoders as marketing funnels with embedded tracking. The decode operation is trivially pure JS: three base64url splits + JSON.parse.
Users: Backend developers, security engineers, API integrators, DevOps engineers debugging auth flows.
Scope (3 prioritised stories):
| Priority |
Story |
Description |
| P1 |
Paste & Decode |
Paste a JWT, instantly see formatted header and payload JSON side-by-side; signature bytes shown separately |
| P2 |
Claim Highlights |
Automatically highlight important claims: exp (with human-readable timestamp + expired/valid indicator), iat, nbf, iss, sub, aud |
| P3 |
Copy Sections |
Copy decoded header or payload JSON independently to clipboard |
Key requirements: live decode (no button), clear three-part colour-coded display, expiry status indicator, human-readable timestamps for epoch values, error for malformed tokens, zero server requests, 100% browser-local.
Non-goals: signature verification (requires secret key — a privacy/security anti-pattern for an online tool), token generation, token editing.
Acceptance criteria:
- SC-001: Zero bytes of token data transmitted to any external server
- SC-002: Decode a 2 KB JWT in under 50 ms
- SC-003: Full workflow (paste → inspect claims) completable in under 5 seconds
- SC-004: Output matches reference
atob() + JSON.parse decoding byte-for-byte
- SC-005: Expired token shows clear visual indicator; valid token shows time-until-expiry
- SC-006: Malformed input shows clear error without crash
The Gap
jwt.io is the de facto standard JWT debugger — but it is owned by Auth0 (Okta) and routes pasted tokens through their analytics infrastructure. Every auth SaaS company (FusionAuth, Logto, Kinde, SuperTokens, Authgear) operates a JWT decoder as a marketing acquisition tool, each with tracking pixels and session recording. Developers are increasingly aware that pasting production JWT tokens into third-party sites is a privacy risk — the payload may contain user PII, role claims, internal service identifiers, or scoped permissions. A guaranteed-local, zero-tracking alternative does not exist as a standalone open-source tool.
Competitor Evidence
| Tool |
Problem |
| jwt.io (Auth0/Okta) |
Server-side routing, analytics tracking, marketing funnel |
| fusionauth.io/dev-tools/jwt-decoder |
Auth company marketing tool with tracking |
| logto.io/jwt-decoder |
Same — hosted by auth SaaS, tracking embedded |
| kinde.com/tools/online-jwt-decoder |
Auth company funnel, unclear client-side guarantee |
| supertokens.com/jwt-encoder-decoder |
SaaS marketing tool with analytics |
Search phrases users type: jwt decode online, decode jwt token online, jwt debugger, jwt parser online, inspect jwt claims
The Tech
| API / Capability |
Role |
Pure JS (split('.') + atob()) |
Three-part base64url decode — no library needed |
JSON.parse() |
Parse header and payload to structured objects |
Date API |
Convert epoch timestamps (exp, iat, nbf) to human-readable strings |
Clipboard API |
Copy decoded header or payload JSON |
TextDecoder |
Handle UTF-8 edge cases in base64url payloads |
No third-party libraries required. Ships as tools/jwt-decoder.html + tools/jwt-decoder/main.js + tools/jwt-decoder/style.css.
Usability Controls
- Live decode: Output updates as user types or pastes — no button
- Three-panel display: Header | Payload | Signature (colour-coded segments matching token colouring, like jwt.io)
- Claim highlights:
exp, iat, nbf shown as human-readable dates; exp badge shows EXPIRED / VALID + time remaining
- Copy sections: Copy header JSON and payload JSON independently
- Clear / Reset button
- Error display: Invalid token → clear message indicating which segment failed to parse
- Safe defaults: Empty state shows example/placeholder token format for guidance
Complexity: 2 / 10
The entire decode is token.split('.').map(part => JSON.parse(atob(part.replace(/-/g, '+').replace(/_/g, '/')))). The implementation challenge is the UX polish: three-panel colour-coded layout, claim annotation, expiry status calculation. No processing pipeline, no binary handling, no dependencies.
Generated by Market Research Discovery · ◷
Existing Coverage Check
Reviewed before proposing:
/specs/001-pdf-redactor/— PDF redaction, unrelated/specs/002-video-trimmer-gif-exporter/— media tool, unrelatedpdf-redactor,video-trimmer-gif-exporter,print-without-black— none touch token inspectionThis is net-new. JWT decoding is explicitly listed as a research focus in
AGENTS.md("JWT decoders") and has no existing spec, issue, or live tool in this repo.Specify Draft Summary
Proposed spec path:
specs/004-jwt-decoder/spec.mdProblem: Developers working with authentication systems need to inspect JWT tokens frequently — checking expiry (
exp), issuer (iss), subject (sub), custom claims, and header algorithm. The dominant tool isjwt.io(by Auth0 / Okta), but it sends pasted tokens to their servers for processing and logs traffic — a real concern when developers are debugging production tokens that may contain user IDs, role claims, or session data. Auth company tools (FusionAuth, Logto, Kinde, SuperTokens) all operate JWT decoders as marketing funnels with embedded tracking. The decode operation is trivially pure JS: three base64url splits +JSON.parse.Users: Backend developers, security engineers, API integrators, DevOps engineers debugging auth flows.
Scope (3 prioritised stories):
exp(with human-readable timestamp + expired/valid indicator),iat,nbf,iss,sub,audKey requirements: live decode (no button), clear three-part colour-coded display, expiry status indicator, human-readable timestamps for epoch values, error for malformed tokens, zero server requests, 100% browser-local.
Non-goals: signature verification (requires secret key — a privacy/security anti-pattern for an online tool), token generation, token editing.
Acceptance criteria:
atob()+JSON.parsedecoding byte-for-byteThe Gap
jwt.iois the de facto standard JWT debugger — but it is owned by Auth0 (Okta) and routes pasted tokens through their analytics infrastructure. Every auth SaaS company (FusionAuth, Logto, Kinde, SuperTokens, Authgear) operates a JWT decoder as a marketing acquisition tool, each with tracking pixels and session recording. Developers are increasingly aware that pasting production JWT tokens into third-party sites is a privacy risk — the payload may contain user PII, role claims, internal service identifiers, or scoped permissions. A guaranteed-local, zero-tracking alternative does not exist as a standalone open-source tool.Competitor Evidence
Search phrases users type:
jwt decode online,decode jwt token online,jwt debugger,jwt parser online,inspect jwt claimsThe Tech
split('.') + atob())JSON.parse()DateAPIexp,iat,nbf) to human-readable stringsClipboard APITextDecoderNo third-party libraries required. Ships as
tools/jwt-decoder.html+tools/jwt-decoder/main.js+tools/jwt-decoder/style.css.Usability Controls
exp,iat,nbfshown as human-readable dates;expbadge shows EXPIRED / VALID + time remainingComplexity: 2 / 10
The entire decode is
token.split('.').map(part => JSON.parse(atob(part.replace(/-/g, '+').replace(/_/g, '/')))). The implementation challenge is the UX polish: three-panel colour-coded layout, claim annotation, expiry status calculation. No processing pipeline, no binary handling, no dependencies.