JWT Network SideCar

About

JWT Network SideCar — see what's inside your tokens, right where you debug.

Almost every authenticated request carries a JWT, but Chrome DevTools shows it as an opaque "eyJ..." blob. To read it you copy the token, switch to an online decoder, paste it in, and hope it's a tool you trust with your credentials. JWT Network SideCar removes that whole detour: it decodes your tokens inside DevTools, on your machine, the moment the request fires.

WHAT IT DOES

Finds tokens automatically. As you use a page, the panel scans each network request and pulls out every JWT it finds — in the Authorization header (it strips the "Bearer " prefix for you), in X-Authorization and Proxy-Authorization headers, in URL query parameters, and in request bodies. For JSON bodies it walks the whole structure and tells you the exact path the token came from (for example body:session.accessToken), so you always know which field you're looking at.

Decodes header, claims, and signature. Each token is broken into its three parts and shown color-coded, with the header and payload rendered as clean, syntax-highlighted JSON. No more eyeballing base64.

Explains the claims. The panel labels registered JWT claims (iss, aud, exp, nbf, iat and more) with plain-English descriptions, and recognizes common Azure AD / Entra ID claims. Time-based claims like exp, nbf, and iat are converted from raw UNIX timestamps into human-readable dates, so you can see at a glance whether a token is expired or not yet valid.

Decode anything on demand. Paste any JWT or "Bearer ..." string into the box at the top and decode it instantly — handy for tokens from logs, tickets, or a teammate's message that never hit the network tab.

Filter and copy. Filter captured requests by URL or method to zero in on the call you care about (your filter is remembered between sessions). One click copies the raw token, the decoded header, or the decoded payload as pretty-printed JSON, ready to drop into a test or bug report.

Handles real-world tokens. Unsigned tokens, multiple tokens in one request, and malformed values are all dealt with gracefully, and the capture list clears automatically when you navigate.

WHY INSTALL IT

If you work on anything behind auth — APIs, SSO, OAuth, GraphQL gateways — you inspect JWTs constantly, and every round-trip to an external decoder costs time and puts a live credential on someone else's website. This panel turns that into a glance: open DevTools, see the decoded header, claims, and expiry next to the request that sent them.

Privacy: everything runs locally inside your browser's DevTools. Tokens are never sent anywhere, nothing is stored after you close DevTools, and the extension makes no network requests of its own.