macOS Developer Tools SecureStack JWT Security

How to Decode JWT Tokens on Mac (Without Using a Public Website)

Decode JWT tokens safely on macOS without pasting them into jwt.io or any public site. SecureStack decodes JWTs locally in your menu bar.

If you’ve worked with authentication APIs, you’ve decoded a JWT token. And if you’ve decoded a JWT token, there’s a good chance you’ve pasted it into jwt.io — the go-to tool that most developers reach for.

It works. But there’s a catch.

The Problem with Pasting JWTs into Public Sites

JWT tokens look innocuous — they’re base64-encoded, not encrypted. But the payload often contains:

  • User IDs and email addresses
  • Permissions and roles
  • Expiry timestamps
  • Custom claims that reveal your system’s internal structure
  • In some cases, session-linked data that could be exploited if intercepted

When you paste a token into a public website, it travels over the network and is processed by someone else’s server. Most JWT decoder sites are trustworthy, but “probably fine” isn’t the same as “definitely safe” — especially in a work or enterprise context.

A Better Approach: Decode Locally

SecureStack includes a JWT Decoder that runs entirely on your Mac. No network requests, no external servers. The token goes in, the decoded claims come out — and nothing leaves your machine.

How to Decode a JWT with SecureStack

  1. Copy your JWT token from wherever it appears — a browser devtools network tab, an API client response, a log file
  2. Click the SecureStack icon in your menu bar
  3. Open the Tools tab and select JWT Decoder — or use Smart Paste (⌘ V) and SecureStack recognises it as a JWT automatically
  4. The token is split into three sections:
SectionWhat you see
HeaderAlgorithm (alg) and token type (typ)
PayloadAll claims — sub, iss, exp, iat, custom fields
SignatureThe raw signature component
  1. Click Copy next to any section to grab it

Smart Paste Priority

SecureStack’s Smart Paste engine gives JWTs the highest priority in detection. If your clipboard contains a valid JWT, it will always be identified as a JWT before Base64 or plain text — even though JWT payloads are Base64-encoded underneath.

What SecureStack Does Not Do

SecureStack decodes tokens for inspection. It does not cryptographically verify the signature — that requires the signing secret or public key, which should stay in your auth infrastructure. For signature verification, use your server-side auth library.

Other Tools in SecureStack

The JWT Decoder is one of ten tools in SecureStack’s menu bar popover:

  • JSON Formatter — format and validate JSON
  • XML Formatter — format and validate XML
  • Base64 Encoder/Decoder — encode/decode Base64 strings
  • UUID Generator
  • SHA-256 Hash Generator
  • Color Converter
  • Regex Tester
  • Lorem Ipsum Generator
  • Mock Data Generator

All offline. All in one click.

Get SecureStack

$24.99 — one-time purchase.

Download on the Mac App Store

If you regularly work with JWTs, SecureStack is the safest and fastest way to inspect them on macOS.

Back to Blog