A JWT isn't just JSON you can inspect. It's a live bearer token. Here's a safer way to decode one.
A few days ago I was reviewing a bug with a teammate. They wanted to see what was inside an access token, so they copied it into the first JWT decoder Google returned.
It wasn't a dummy token.
It was a production access token with almost an hour left before it expired.
Nobody was trying to do anything risky—it was just the quickest way to inspect a JWT. That's exactly why this keeps happening.






