TFT

View JWT Tokens Stored in Your Browser

Safely inspect JWT tokens stored in your browser's localStorage or sessionStorage. Decode and validate tokens locally without sending them to any server—perfect for frontend debugging.

JWT Token Storage Viewer

View and analyze JWT token storage

How to use

Enter your data in the input field, click Convert, and the result will appear in the output field. You can then copy or download the result.

How JWT Storage Analysis Works

The storage viewer examines where and how JWTs persist in your application. It parses tokens from common storage locations: localStorage, sessionStorage, cookies, and IndexedDB entries.

For each stored token, the tool extracts metadata without exposing the actual token value. You see storage type, key name, token size, creation time (if available), and expiry status.

Storage locations checked:

  • localStorage - Persistent key-value store (survives browser restart)
  • sessionStorage - Tab-scoped storage (cleared when tab closes)
  • Cookies - HTTP cookies with domain/path restrictions
  • IndexedDB - Structured data storage for larger datasets

The viewer also flags security concerns: tokens in localStorage (XSS vulnerable), cookies without HttpOnly flag, or tokens stored past their expiry time.

When You'd Actually Use This

Security audit of your application

You're reviewing your app's authentication implementation. The viewer shows all stored JWTs and highlights that tokens are in localStorage instead of secure cookies.

Debugging stale session issues

Users report being logged in after password changes. You discover expired tokens lingering in localStorage that the app still tries to use.

Cleaning up after development

Your dev environment has dozens of test tokens scattered across storage. The viewer lists them all so you can purge outdated credentials.

Comparing storage strategies

Evaluating localStorage vs. cookies for token storage? The viewer shows exactly what gets stored where, helping you understand the tradeoffs.

Investigating token duplication

Your app stores tokens under multiple keys ("auth_token", "jwt", "user_token"). The viewer reveals the duplication, explaining increased storage usage.

Teaching web security concepts

Demonstrating XSS risks to junior developers? Show them how easily tokens in localStorage can be extracted with a simple console command.

What to Know Before Using

Browser-based only.The tool runs in your browser's JavaScript context. It can only see storage for the current origin (domain). Cross-origin tokens remain invisible.

HttpOnly cookies are hidden.Cookies marked HttpOnly cannot be read by JavaScript. The viewer can detect their existence but not inspect their contents.

Doesn't modify storage.The viewer is read-only. It shows what's stored but doesn't delete or modify anything. Use browser dev tools to actually clear tokens.

Token values are partially hidden.For security, the viewer shows token metadata (size, expiry) but masks the actual token value to prevent accidental exposure.

Security note: If the viewer shows tokens in localStorage, consider migrating to HttpOnly cookies. localStorage is vulnerable to XSS attacks—any script can read it.

Common Questions

Why can't I see tokens in HttpOnly cookies?

HttpOnly is a security flag that prevents JavaScript access. This protects cookies from XSS attacks. The browser itself sends them with requests, but scripts can't read them.

How do I delete tokens the viewer finds?

Open browser dev tools (F12). For localStorage/sessionStorage: Application → Storage → Clear. For cookies: Application → Cookies → Delete specific cookies.

Can this tool see tokens from other websites?

No. Same-origin policy prevents JavaScript from accessing storage belonging to other domains. You can only see tokens for the site you're currently on.

What does "token size" tell me?

JWT size correlates with payload content. Typical tokens are 200-400 characters. Larger tokens (>1KB) may contain excessive claims that should be moved to your database.

Why are there multiple tokens stored?

Apps often store access tokens and refresh tokens separately. Some also keep a decoded copy for quick access. Multiple tokens aren't necessarily a problem.

Is it safe to run this on production?

The viewer is read-only and runs client-side. However, it displays token metadata that could reveal implementation details. Use in staging when possible.

Other Free Tools

JWT Decoder & Validator

Decode & Validate JWT Tokens Instantly

JWT Generator & Signer

Generate & Sign Custom JWT Tokens

JWT Debugger & Tester

Debug & Test JWT Tokens Step-by-Step

JWT Secret & Key Generator

Generate JWT Secrets & Key Pairs

JWT Claim Extractor & Formatter

Extract & Format JWT Claims

ASCII to Hex Converter

ASCII to Hex Converter: Text to Hexadecimal Translator

Barcode Generator

Free Barcode Generator

Binary to Text Converter

Binary to Text Converter

Free Printable Calendar Maker

Create & Print Your Custom Calendar

Pie Chart Maker

Free Pie Chart Maker Online