Why I stopped pasting JWTs into random online tools

I had the same realization three times before I did anything about it. I'd be debugging an auth flow, copy a JWT out of a request, paste it into the first decoder Google surfaced, and only halfway through scanning the payload would I notice the network tab was lit up. Whatever was in that token — user IDs, session secrets, internal claims — had just left my machine.

The third time, I stopped and built one that runs in the browser. No backend, no telemetry, no "logging for quality assurance." If the page is open, you can pull the network cable and it still works.

"If your tool sees the data, you've already lost." — every security review I've ever sat through.

The argument for browser-only isn't paranoia. It's that the cost of building it that way is so low — Web Crypto exists, Next.js statically renders the page, the entire pipeline fits in a service worker if you want — that there's no reason left to send tokens over the wire. The only reason most online tools still do is because they were built before the browser caught up.

If you're signing or verifying tokens locally, the implementation is essentially this:

const encoder = new TextEncoder();
const key = await crypto.subtle.importKey(
  "raw",
  encoder.encode(secret),
  { name: "HMAC", hash: "SHA-256" },
  false,
  ["sign", "verify"],
);
 
const signature = await crypto.subtle.sign("HMAC", key, encoder.encode(input));

That's it. No npm dependency, no server. The same pattern works for RS/ES variants once you swap in the right import. The whole thing is a Saturday afternoon and it never sees the network.

The broader lesson is that "online tool" used to mean "send the data to a server that does the work." It doesn't have to anymore. The next time you reach for one, check the network tab. If it lights up, find a different one — or build it yourself. It's almost certainly less work than you think.