stop using websites to decode JWTs — do it in the terminal

every time you need to debug a JWT, you open jwt.io, paste your token, and hope you didn't just leak a production token to a third-party website. stop doing that. JWTs are just base64. you can decode them in one line. no websites, no npm packages, no risk. the one-liner echo 'YOUR_JWT_HERE' | cut -d '.' -f2 | base64 -d 2>/dev/null | python3 -m json.tool that's it. splits on the dots, grabs the payload (middle part), base64 decodes it, pretty prints the JSON. done. wait, what even is a JWT? a JWT (JSON Web Token) has three parts separated by dots: header.payload.signature each part is base64url encoded. the header says what algorithm was used. the payload has your actual data (claims). the signature proves it wasn't tampered with. eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ.xxxxx │ │ │ └─ header └─ payload (this is what you usually care about) └─ signature you almost never need to verify the signature locally. you just want to see what's in the payload. which mea