Your JWT decoder might be leaking your tokens. Here's how to check.

Most developers paste production JWTs into online decoders without thinking. Here's a 10-second DevTools check to see if your token is actually leaving your machine.

A coworker was debugging an auth bug last month. Standard workflow: copy the JWT from the failing request, paste it into an online decoder, read the payload. I've done it a thousand times. You probably have too.

Except the token he pasted belonged to a real customer. And the decoder he used is owned by an identity company that's had its share of security incidents.

Nothing bad happened. Probably. But it made me think about something I'd never actually checked: when you paste a JWT into an online decoder, where does that token go?

What a JWT actually contains