A JWT isn't just JSON you can inspect. It's a live bearer token. Here's a safer way to decode one.

A few days ago I was reviewing a bug with a teammate. They wanted to see what was inside an access token, so they copied it into the first JWT decoder Google returned.

It wasn't a dummy token.

It was a production access token with almost an hour left before it expired.

Nobody was trying to do anything risky—it was just the quickest way to inspect a JWT. That's exactly why this keeps happening.