JPKCom DB

Coder — Tips & Tricks

Coder know-how: the JWT signature is not verified (security note), picking the right tab, common pitfalls, and combining it with other tools.

Back to the overview: Coder · Open the tool: www.jpkc.com/tools/coder/

The manual explains every tab, the examples show the workflows. This page is about what both assume but rarely state: when a tab does something other than you expect, and what to watch for to use it safely.

JWT: decode is not verify

The most important point first, because a dangerous misunderstanding lurks here:

  • The JWT tab decodes only — it does not verify. In a JWT, the header and payload are merely Base64URL-encoded, not encrypted. Anyone can read them, and that's exactly what the tool makes visible. But it does not check the signature and does not tell you whether the token is authentic, validly signed, or tampered with.
  • Never trust a decoded payload as proof of authorization. Seeing "admin": true or a non-expired exp only means someone wrote that in — not that a server accepts it. Real verification (checking the signature against the secret or public key) always happens server-side and is deliberately not included here.
  • The expiry badges are display only. "Valid, expires …" and "Expired" rely purely on the exp/iat fields of the unverified payload. A forged token can carry any exp it likes.
  • Privacy works in your favor here: because the Coder runs entirely client-side, the token does not leave your browser. That's a real advantage over many online JWT debuggers that send the token to a server. The general caution still applies, though: production tokens often carry sensitive claims — inspect them, but don't share them.

Pick the right tab

Many "it doesn't work" moments are really the wrong tab:

  • HTML vs. HTML+. If your text sits between tags, HTML (& < >) is enough. If it lands in an attribute value, use HTML+ — otherwise the quotes break the attribute. Both decode only the entities they produce themselves; neither resolves &nbsp;, &copy;, or numeric entities.
  • Base64 is not Base64URL. The Base64 tab expects the standard alphabet (+ /, = padding). A JWT segment is Base64URL (- _, often without padding) and fails in the Base64 tab. For tokens, always use the JWT tab — it decodes Base64URL correctly.
  • JSON tab ≠ JSON formatter. The JSON tab escapes/unescapes string literals (\\ \" \n \r \t); it doesn't format or validate documents. For formatting, validating, and restructuring whole JSON files, the JSON Editor is the right tool.

Pitfalls from practice

  • URL encoding uses + for spaces. The Coder encodes in form style (application/x-www-form-urlencoded), not with %20. That's correct for query strings; for a path segment where a + is meant literally, keep it in mind.
  • Encode and decode overwrite the field. The result is written back into the same input field. If you want the original and the result side by side, copy the original out first with Copy.
  • JSON escape doesn't cover everything. Unicode escapes (\uXXXX) as well as \b and \f are not handled — only \\ \" \n \r \t. So don't be surprised by more exotic control characters.
  • Invalid input is reported, not silently mangled. Non-valid Base64, a broken URL sequence, or a JWT without three parts produces a clear error message — not a half-broken output you notice only later.
  • Data URIs get big fast. Base64 inflates the data by about a third. Great for icons and tiny assets; for large images or even videos the URI becomes unwieldy and slows the page rather than helping. And the MIME type comes from browser detection — if it's missing, it shows n/a.

Combine with other JPKCom tools

The Coder is the quick Swiss Army knife for encode/decode. For anything bigger, neighboring tools take over:

  • Convertor PRO — when you don't just want to encode/decode but convert between formats: HTML/XML, Unicode, UTF-8, hexadecimal, YAML, JSON, TOML.
  • JSON Editor — the perfect next stop for a decoded JWT payload or an unescaped JSON string: format, validate, restructure.
  • Generator and Hash Generator — the security neighbors next to the JWT tab: passwords, BCrypt/Argon2 hashes, TOTP codes, and MD5/SHA hashes respectively.
  • Beautify — when the HTML or JavaScript snippet you just escaped should also be cleanly formatted.

Workflow pattern: encode/decode in the Coder → process further in the right neighbor tool when needed. A concrete walkthrough is in Example 2: Decode a JWT and read the payload.

More context: the overview for the big picture, the manual for every tab in detail, and the examples for the step-by-step workflows. You can try everything right in the tool.