# Coder — Tips & Tricks

> Coder know-how: the JWT signature is not verified (security note), picking the right tab, common pitfalls, and combining it with other tools.

Source: https://www.jpkc.com/db/en/tools/coder/tips/

Back to the overview: [Coder](https://www.jpkc.com/db/en/tools/coder/) · Open the tool: [www.jpkc.com/tools/coder/](https://www.jpkc.com/tools/coder/)

The [manual](https://www.jpkc.com/db/en/tools/coder/manual/) explains every tab, the [examples](https://www.jpkc.com/db/en/tools/coder/examples/) show the workflows. This page is about what both assume but rarely state: when a tab does something other than you expect, and what to watch for to use it safely.

## JWT: decode is not verify

The most important point first, because a dangerous misunderstanding lurks here:

- **The JWT tab decodes only — it does not verify.** In a JWT, the header and payload are merely **Base64URL-encoded, not encrypted**. Anyone can read them, and that's exactly what the tool makes visible. But it does **not** check the signature and does **not** tell you whether the token is authentic, validly signed, or tampered with.
- **Never trust a decoded payload as proof of authorization.** Seeing `"admin": true` or a non-expired `exp` only means someone *wrote* that in — not that a server accepts it. Real verification (checking the signature against the secret or public key) always happens **server-side** and is deliberately not included here.
- **The expiry badges are display only.** "Valid, expires …" and "Expired" rely purely on the `exp`/`iat` fields of the **unverified** payload. A forged token can carry any `exp` it likes.
- **Privacy works in your favor here:** because the Coder runs entirely client-side, the token does **not** leave your browser. That's a real advantage over many online JWT debuggers that send the token to a server. The general caution still applies, though: production tokens often carry sensitive claims — inspect them, but don't share them.

## Pick the right tab

Many "it doesn't work" moments are really the wrong tab:

- **HTML vs. HTML+.** If your text sits between tags, **HTML** (`& < >`) is enough. If it lands in an attribute value, use **HTML+** — otherwise the quotes break the attribute. Both decode only the **entities they produce themselves**; neither resolves `&nbsp;`, `&copy;`, or numeric entities.
- **Base64 is not Base64URL.** The **Base64** tab expects the standard alphabet (`+ /`, `=` padding). A JWT segment is **Base64URL** (`- _`, often without padding) and fails in the Base64 tab. For tokens, always use the **JWT** tab — it decodes Base64URL correctly.
- **JSON tab ≠ JSON formatter.** The **JSON** tab escapes/unescapes **string literals** (`\\ \" \n \r \t`); it doesn't format or validate documents. For formatting, validating, and restructuring whole JSON files, the [JSON Editor](https://www.jpkc.com/db/en/tools/json/) is the right tool.

## Pitfalls from practice

- **URL encoding uses `+` for spaces.** The Coder encodes in form style (`application/x-www-form-urlencoded`), not with `%20`. That's correct for query strings; for a path segment where a `+` is meant literally, keep it in mind.
- **Encode and decode overwrite the field.** The result is written back into the same input field. If you want the original and the result side by side, copy the original out first with **Copy**.
- **JSON escape doesn't cover everything.** Unicode escapes (`\uXXXX`) as well as `\b` and `\f` are not handled — only `\\ \" \n \r \t`. So don't be surprised by more exotic control characters.
- **Invalid input is reported, not silently mangled.** Non-valid Base64, a broken URL sequence, or a JWT without three parts produces a clear error message — not a half-broken output you notice only later.
- **Data URIs get big fast.** Base64 inflates the data by about a third. Great for icons and tiny assets; for large images or even videos the URI becomes unwieldy and slows the page rather than helping. And the MIME type comes from browser detection — if it's missing, it shows `n/a`.

## Combine with other JPKCom tools

The Coder is the quick Swiss Army knife for encode/decode. For anything bigger, neighboring tools take over:

- **[Convertor PRO](https://www.jpkc.com/db/en/tools/convertor/)** — when you don't just want to encode/decode but **convert** between formats: HTML/XML, Unicode, UTF-8, hexadecimal, YAML, JSON, TOML.
- **[JSON Editor](https://www.jpkc.com/db/en/tools/json/)** — the perfect next stop for a decoded JWT payload or an unescaped JSON string: format, validate, restructure.
- **[Generator](https://www.jpkc.com/db/en/tools/generator/)** and **[Hash Generator](https://www.jpkc.com/db/en/tools/hash/)** — the security neighbors next to the JWT tab: passwords, BCrypt/Argon2 hashes, TOTP codes, and MD5/SHA hashes respectively.
- **[Beautify](https://www.jpkc.com/db/en/tools/beautify/)** — when the HTML or JavaScript snippet you just escaped should also be cleanly formatted.

Workflow pattern: encode/decode in the Coder → process further in the right neighbor tool when needed. A concrete walkthrough is in [Example 2: Decode a JWT and read the payload](https://www.jpkc.com/db/en/tools/coder/examples/#example-2-decode-a-jwt-and-read-the-payload).

---

More context: the [overview](https://www.jpkc.com/db/en/tools/coder/) for the big picture, the [manual](https://www.jpkc.com/db/en/tools/coder/manual/) for every tab in detail, and the [examples](https://www.jpkc.com/db/en/tools/coder/examples/) for the step-by-step workflows. You can try everything right in the [tool](https://www.jpkc.com/tools/coder/).