Parsing & Decoding Cookie Values
Most interesting cookies aren't plain text. Cookie Lens auto-detects the format and renders the right view — an editable table for delimited key/value pairs, a decoded editor for Base64, and a read-only viewer for JWT and JSON. Edits re-encode back to the original format on save — no copy-pasting into an external decoder.
Supported Formats
JWT (JSON Web Tokens)
A token of the form header.payload.signature.
Cookie Lens splits the three parts, decodes the header and payload, and shows the
readable claims (sub, role, iat, exp, and any custom claims), including a
human-readable expiry. Editing the payload invalidates the signature — the
server will reject it, which is expected when you're testing rejection paths.
JSON
Objects or arrays, e.g. {"userId":"12345","role":"admin"}. Cookie Lens
pretty-prints the structure in a read-only view; switch to the Raw tab to
edit, and it stays valid JSON in the cookie.
Base64
Base64-encoded values are decoded to their underlying text (often JSON), edited, and re-encoded.
Delimited key/value
Cookies built from repeated key/value pairs with a delimiter — Cookie Lens
recognizes ;=, &=, :=, |:, and -_ — are parsed into a table of keys and
values you can edit inline.
URL encoding
Values are shown URL-decoded when the round-trip is lossless (for example
A%7C1%7Cx → A|1|x), and re-encoded on save so the stored bytes stay
byte-for-byte identical. URL-encoded JSON is decoded through both layers.
Editing a Parsed Value
- Click the cookie to open it.
- Edit a key/value pair (delimited) or the decoded Base64 text inline; for JWT and JSON, switch to the Raw tab to edit.
- Save. Cookie Lens re-encodes to the original format and writes the cookie.
Example: editing a JSON cookie
Before:
{"userId": "12345", "theme": "light", "notifications": true}
Switch to the Raw tab, change "theme" to "dark", and save — the page
sees the updated preference.
Search Sees the Decoded Value Too
Because Cookie Lens decodes values, smart search can match content that only
exists after decoding — a role claim inside a JWT, say. A
via JWT / via base64 / via URL chip marks those matches. See
Inspecting Cookies.
Tips
- Inspect without editing — decoding is read-only until you change something, so there's no risk in just looking.
- Freeze after decoding — once you've dialed in a value, freeze it so nothing overwrites it while you test. See Freezing Cookies.
- Malformed values are flagged — if a JWT, JSON, or Base64 value can't be decoded, the viewer says so instead of rendering a broken table.
See Also
- Editing Cookies — edit values and attributes.
- Freezing Cookies — hold a value in place.
- Reports & Analysis — audit cookies across the site.