Convert a JWT List into CSV, JSON, SQL IN, and TypeScript Union
Turn a plain list of JWT tokens into CSV, a JSON array, SQL IN, or a TypeScript union for test fixtures and logs. Local parsing, masked output, no decode.
Convert a JWT List into CSV, JSON, SQL IN, and TypeScript Union
A column of bearer tokens shows up in places you did not plan for. A log dump with one token per line. A CSV export from an auth dashboard. A paragraph in a support ticket where someone pasted a request header. Sooner or later you need that pile of tokens to become something a script, a database query, or a test file can actually read, and retyping quotes and commas by hand is both slow and error-prone.
The JWT Token List Converter does exactly that one job: it takes a list of JWT tokens and reshapes it into the format you need next. The whole thing runs inside the browser tab. Nothing is uploaded, the tool does not decode the payload, and it does not verify the signature. It is string work, and it stays string work.
What it converts to
You paste tokens, or upload a local text file, and the parser pulls out the JWT-shaped strings. From there you choose an output format:
- Plain lines — one token per row, cleaned up.
- CSV — ready for a spreadsheet, a CRM import, or a script that reads columns.
- JSON array — drop straight into a test fixture or an API request body.
- Markdown — a table you can paste into a review doc or a ticket.
- SQL IN — a parenthesized list you can drop after
WHERE token IN. - TypeScript union — a string-literal union type for a typed test or a constant.
You can keep only unique rows, sort the normalized output, and decide whether broken tokens come along for review or get held back. The point is to hand off a clean artifact, not to re-clean it three times in your editor.
One list, two formats, no hand-editing
Here is the part that saves the most time. Say a colleague drops three tokens into a chat for a test fixture:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.aaaaaa
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyIn0.bbbbbb
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.aaaaaa
Switch the output to JSON array, turn on unique rows, and the duplicate collapses:
[
"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.aaaaaa",
"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyIn0.bbbbbb"
]
That JSON array pastes straight into a fixture file. Need the same two tokens for a query that pulls their rows from a session table? Switch the format to SQL IN and you get:
('eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.aaaaaa', 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyIn0.bbbbbb')
Drop that after WHERE token IN and run it. Same source list, two destinations, zero manual comma juggling. The TypeScript union path works the same way when you want a typed constant instead of a runtime array.
Masking, and what the tool does not do
Two things matter here and the manifest states both plainly.
First, masking. JWTs are a sensitive profile, so the converter masks token values in the output while still giving you the validation signals you need. You see whether a row parsed as a real three-segment JWT and what was wrong with the ones that did not, without spilling the full secret-bearing string into a doc you might share.
Second, scope. This tool does not decode the JWT payload and it does not verify the signature. A token that is correctly shaped is not proof that the account, the domain, or the resource behind it exists, and a passing format check is not a passing security check. If you need to read claims or confirm a signature, that is a different job for a different tool. The converter only cares that the input is a well-formed list and that the output is the format you asked for.
That boundary is deliberate. When you convert a list into JSON or a SQL IN clause, a broken token must not slip in silently and poison the output. A two-segment string or a chunk that is not valid base64url gets held back and listed with its reason, rather than wrapped into the converted result where it would break your fixture or your query at the worst possible moment.
Where I reach for it
I keep a tab of this open whenever I am building auth test fixtures. The pattern that used to eat ten minutes went like this: grab a handful of tokens from a staging log, paste them into the editor, manually wrap each one in quotes, add commas, fix the trailing comma, then realize two of them were identical. Now I paste the raw block, flip unique on, sort, and copy the JSON array. The duplicate is gone, the formatting is correct on the first try, and because the values are masked I can drop a Markdown table into the PR description without worrying that a live staging token is now sitting in a comment forever. The first time I did it I assumed I had missed a step, because it was that much faster than the old routine.
How it fits the rest of the workflow
The converter is the last stop in a small chain of local JWT tools, and it pairs naturally with the others. If your tokens are still buried inside a wall of log text, pull them out first with the JWT Token Extractor, which grabs the JWT-shaped strings and keeps the surrounding noise out. If you only want to know which rows are well-formed before you commit them anywhere, the JWT Token List Validator reports the reason each row passed or failed.
For cleanup steps, the JWT Token Normalizer strips hidden whitespace that copied web text loves to smuggle in, and the JWT Token Deduplicator collapses repeats if you would rather do that before converting. When the list lives inside HTTP traffic, the HTTP Header Extractor lifts the relevant lines out first. And if your starting point is a wrapped Base64 block rather than clean tokens, the Base64 Block Extractor handles that shape.
A short checklist before you copy
- Normalize first if the tokens came from a copied web page; hidden whitespace breaks deduplication.
- Keep invalid rows visible while you review, so nothing slips into the output silently.
- For an audit trail, download CSV or Markdown with line numbers instead of copying only the final list.
- Remember the masking: the output is safer to paste into a shared doc, but treat any file with real tokens as sensitive anyway.
Reshaping a list of JWT tokens is not glamorous work, but it is the kind of small friction that shows up several times a day for anyone touching auth. Paste the list, pick the format, copy the result. The converter keeps it local, keeps it masked, and keeps the broken rows out of your fixtures.
Made by Toolora · Updated 2026-06-13