Skip to main content
Version: 1.0.1

Parsing & Decoding Cookie Values

Most interesting cookies aren't plain text. Cookie Lens auto-detects the format and renders the right view — an editable table for delimited key/value pairs, a decoded editor for Base64, and a read-only viewer for JWT and JSON. Edits re-encode back to the original format on save — no copy-pasting into an external decoder.

Supported Formats

JWT (JSON Web Tokens)

A token of the form header.payload.signature.

Cookie Lens splits the three parts, decodes the header and payload, and shows the readable claims (sub, role, iat, exp, and any custom claims), including a human-readable expiry. Editing the payload invalidates the signature — the server will reject it, which is expected when you're testing rejection paths.

JSON

Objects or arrays, e.g. {"userId":"12345","role":"admin"}. Cookie Lens pretty-prints the structure in a read-only view; switch to the Raw tab to edit, and it stays valid JSON in the cookie.

Base64

Base64-encoded values are decoded to their underlying text (often JSON), edited, and re-encoded.

Delimited key/value

Cookies built from repeated key/value pairs with a delimiter — Cookie Lens recognizes ;=, &=, :=, |:, and -_ — are parsed into a table of keys and values you can edit inline.

URL encoding

Values are shown URL-decoded when the round-trip is lossless (for example A%7C1%7CxA|1|x), and re-encoded on save so the stored bytes stay byte-for-byte identical. URL-encoded JSON is decoded through both layers.

Editing a Parsed Value

  1. Click the cookie to open it.
  2. Edit a key/value pair (delimited) or the decoded Base64 text inline; for JWT and JSON, switch to the Raw tab to edit.
  3. Save. Cookie Lens re-encodes to the original format and writes the cookie.

Before:

{"userId": "12345", "theme": "light", "notifications": true}

Switch to the Raw tab, change "theme" to "dark", and save — the page sees the updated preference.

Search Sees the Decoded Value Too

Because Cookie Lens decodes values, smart search can match content that only exists after decoding — a role claim inside a JWT, say. A via JWT / via base64 / via URL chip marks those matches. See Inspecting Cookies.

Tips

  • Inspect without editing — decoding is read-only until you change something, so there's no risk in just looking.
  • Freeze after decoding — once you've dialed in a value, freeze it so nothing overwrites it while you test. See Freezing Cookies.
  • Malformed values are flagged — if a JWT, JSON, or Base64 value can't be decoded, the viewer says so instead of rendering a broken table.

See Also