Is jwt.io Safe? What Actually
Happens to Your Token
Millions of developers use jwt.io every day. Most have never asked what happens to their token on the other side.
If you've ever pasted a JWT into jwt.io to debug it, you've sent that token to a third-party server — or at minimum, to a page loaded with third-party scripts you don't control. For most debugging sessions that's fine. For production tokens containing user IDs, roles, email addresses, and session data, it's worth understanding exactly what you're doing.
What jwt.io Actually Is
jwt.io is a free JWT debugger built and maintained by Auth0, which is owned by Okta. It's the most widely used JWT tool on the internet, linked from the official JWT specification at jwt.io. The tool decodes JWT headers and payloads in the browser using JavaScript — the decoding itself is client-side.
The question developers rarely ask: what else is on that page, and what does it load?
The 3 Actual Risks of jwt.io
jwt.io loads external JavaScript including analytics and CDN resources. Any of these scripts run in the same browser context as your token. A compromised CDN or analytics provider could theoretically access page content — including what you've typed into the input field.
Auth0 is an identity platform that sells JWT-based authentication. jwt.io is a marketing and developer relations tool. While there's no evidence Auth0 logs tokens, the site is owned by a company whose core business is JWT infrastructure. The incentive alignment is worth noting.
If you have browser extensions installed — password managers, productivity tools, tab managers — many have permission to read page content. Anything you type into jwt.io is visible to those extensions. This isn't jwt.io's fault, but it's a risk that disappears when you use a local tool.
What's Actually in a JWT That Makes This Matter
The reason this question is worth asking is that JWTs often contain more than developers realize. A token from a typical web app might include:
| Claim | Typical Value | Sensitive? |
|---|---|---|
| sub | User ID (e.g. user_12345) | Medium |
| user@company.com | ⚠️ Yes — PII | |
| role | admin, superuser, internal | Medium |
| org_id | Internal organization identifier | Medium |
| permissions | ["read:users","write:billing"] | ⚠️ Yes |
| exp / iat | Unix timestamps | Low |
| custom claims | Anything your app adds | ⚠️ Varies |
A production token with email, role: admin, and permissions claims is real user data. Pasting it into any third-party tool is worth thinking twice about, regardless of how trustworthy that tool is.
jwt.io vs a Fully Client-Side Decoder
| Feature | jwt.io | ResourceCentral JWT Decoder |
|---|---|---|
| Decoding runs in browser | ✓ Yes | ✓ Yes |
| Third-party analytics scripts | ⚠️ Present | ✗ None |
| Owned by identity vendor | Auth0 / Okta | Independent |
| exp decoded to human time | ✓ Yes | ✓ Yes |
| Signature verification | ✓ Yes (needs secret) | Decode only |
| Verifiable zero uploads | Not independently verifiable | ✓ Verify page |
| Free | ✓ Yes | ✓ Yes |
When jwt.io Is Fine vs When to Use Something Else
- 📚 Learning how JWTs work
- 🧪 Debugging tokens from local dev environments
- 🔬 Tokens with no PII or sensitive claims
- ✅ Tokens you generated yourself for testing
- 🔐 Verifying a signature (requires secret key)
- 👤 Tokens containing real user emails or IDs
- 🔑 Tokens with admin or elevated role claims
- 🏢 Tokens from client production systems
- 🏥 Any token from a HIPAA-regulated app
- 💳 Tokens containing payment or billing permissions
How to Decode JWTs With Zero Third-Party Risk
Decode Your JWT With Zero Third-Party Risk
No analytics. No Auth0. No uploads. Verify it yourself in DevTools.
Open Free JWT Decoder →FAQ
Is jwt.io safe to use with production tokens? +
jwt.io decodes tokens client-side, but the page loads third-party scripts from Auth0/Okta infrastructure. For tokens containing user emails, admin roles, or sensitive permissions, a fully isolated client-side tool with no external scripts is the safer choice.
Does jwt.io send my token to a server? +
The decoding logic runs in your browser. However the page loads external scripts which run in the same browser context. Whether any of those scripts transmit page content is not independently verifiable. You can open DevTools → Network and watch what requests fire while you use the tool.
Can I decode a JWT without the secret key? +
Yes. JWT headers and payloads are Base64-encoded, not encrypted. Any decoder can read the claims without the secret key. The secret is only needed to cryptographically verify the signature — which confirms the token hasn't been tampered with. For debugging claims and expiry, you never need the secret.
What should I do if I accidentally pasted a production JWT into jwt.io? +
If the token is still valid, revoke it or force-expire it via your auth system immediately. Rotate any signing secrets if they were also visible. For short-lived tokens (under 15 minutes), the practical risk is low — but for long-lived tokens or tokens with elevated permissions, treat it as a potential exposure and act accordingly.