Offline JWT decoder for Mac: inspect tokens locally
JWTs are easy to paste into a browser decoder. Real tokens are also easy to mishandle. Read the header, payload, and expiry on your Mac before you send a token-shaped string anywhere else.
Use an offline JWT decoder when the token came from work: production logs, staging sessions, support tickets, auth headers, browser storage, mobile debugging, or identity-provider tests. Use a web decoder only for fake tokens and public documentation examples.
TeenyTool includes a JWT Decoder in its Developer category. It expects the standard three-part header.payload.signature shape, decodes the header and payload locally, pretty-prints both JSON objects, and shows the expiry date when the payload has an exp claim.
It does not verify the signature. That is intentional. TeenyTool is an inspection tool for the human debugging loop, not an authentication library.
Quick decision table
| Token source | Use local | Web is fine when |
|---|---|---|
| Production auth header | Yes. It can reveal users, scopes, issuers, audiences, and expiry state. | Never, unless it has been deliberately replaced with a fake sample. |
| Staging or QA token | Yes. Staging data is still company data. | The token was generated only for a public tutorial. |
| Support ticket snippet | Yes. Claims can expose customer IDs, emails, roles, or tenant names. | The ticket uses a sanitized example. |
| RFC or docs example | Optional. Local is convenient, but privacy is not the issue. | The token is published as sample data. |
What a JWT decoder can and cannot tell you
RFC 7519 defines a JSON Web Token as a compact, URL-safe way to represent claims between two parties. In the common signed form, a JWT has three Base64URL-encoded parts separated by periods: header, payload, and signature.
A decoder can read the first two parts. The header usually describes token type and algorithm. The payload contains claims such as issuer, subject, audience, expiration, issued-at time, scopes, roles, tenant IDs, or application-specific values.
A decoder cannot prove the token is trusted unless it verifies the signature with the correct key and algorithm. TeenyTool does not do that. Use your server-side auth library, identity provider tooling, or a controlled internal tool when signature validation is the job.
How TeenyTool handles JWTs
The JWT Decoder source is deliberately small. It trims pasted text, checks for exactly three parts, Base64URL-decodes the header and payload, formats each part as pretty JSON when possible, and falls back to plain UTF-8 text if JSON parsing fails.
For expiry, it looks for an exp claim in the payload, treats it as a Unix timestamp, and shows either an expired warning or a valid-until date. If no exp claim exists, it tells you that no expiry claim was found.
The source does not send the token to a server for normal decoding. TeenyTool's homepage describes the product as a local Mac menu bar toolbox; its normal network exceptions are license validation, update checks, IP Address, and DNS Lookup.
Workflow for inspecting a token
- Open teenytool from the menu bar.
- Search for "JWT" or open the Developer category.
- Choose JWT Decoder.
- Paste the token into the input field.
- Read the Header and Payload panes.
- Check the expiry message at the bottom.
- Copy only the sanitized claim values you actually need.
If the next step is a nested string, use nearby local tools: Base64 Codec, URL Codec, JSON Formatter, Hash Generator, and Unix Timestamp.
Claims worth checking first
| Claim | Why it matters | What to do with it |
|---|---|---|
exp |
Shows when the token expires. | Check whether the bug is really an expired-session issue. |
iss |
Identifies the issuer. | Confirm the token came from the expected identity provider or environment. |
aud |
Identifies the intended audience. | Look for tokens sent to the wrong API or app. |
sub |
Identifies the subject. | Handle as sensitive. Do not copy it into public channels. |
| Custom claims | Often contain roles, tenant IDs, scopes, plans, flags, or internal app state. | Sanitize before sharing outside the trusted system. |
When TeenyTool is the wrong tool
Use a real auth library when you need to accept or reject a token. Signature verification, key rotation, issuer validation, audience validation, clock skew, algorithm restrictions, and revocation rules belong in code or in your identity provider, not in a quick viewer.
Use an internal debugging tool if your team needs shared, logged token analysis. Use a browser decoder only when the token is fake enough that you would be comfortable pasting it into a public issue.
TeenyTool is for the local first pass: understand what you are holding, avoid uploading it, and decide whether the next check belongs in the app, server logs, or identity provider.
Common questions
Is TeenyTool's JWT Decoder offline?
Yes. JWT header and payload decoding runs locally in the Mac app. TeenyTool's normal network exceptions are license validation, update checks, IP Address, and DNS Lookup.
Does TeenyTool verify JWT signatures?
No. TeenyTool decodes the header and payload, formats the JSON, and shows the exp claim when present. Use your auth library or identity provider tooling to verify signatures.
Is it safe to paste a JWT into an online decoder?
Avoid online decoders for real production, staging, support, or customer tokens. Use public web decoders only for fake examples or documentation samples.
Sources checked
- TeenyTool feature claims were checked against the local homepage and source files for the tool catalog, JWT Decoder, favorites, shortcuts, and network exceptions.
- RFC 7519: JSON Web Token for JWT structure, claims, registered claim names, and NumericDate handling.
- RFC 7515: JSON Web Signature for the signed header, payload, and signature structure.
- TeenyApps: Mac menu bar keyboard shortcuts worth setting up for the Monday utility-shortcut cluster.
Inspect tokens without uploading them.
teenytool is a $14.99 Mac menu bar toolbox with JWT Decoder, Base64 Codec, URL Codec, JSON Formatter, Hash Generator, Unix Timestamp, String Escape, Regex Tester, and more.