Quick way to peek inside a JWT without spinning up a debugger or hitting jwt.io. Paste in a token and you get the header, payload, and all claims formatted cleanly, with exp/iat timestamps converted to human-readable dates. It'll yell at you if it spots alg:none (the classic bypass attack), tokens with no expiry, or sensitive data sitting in plain view. This is decode only, no signature verification, so it's for inspection and debugging, not trust decisions. If you need to actually verify a token's signature, you want jwt-validate instead.
npx skills add https://github.com/jsonwebtoken/jwt-skills --skill jwt-decode