EncryptCodecencryptcodec
Tools/JWT

JWT Decoder + Security Auditor

Decode JSON Web Tokens and automatically audit them for common security vulnerabilities. Checks algorithm safety, expiry, and required claims.

All processing happens in your browser — nothing is sent to our servers

What This Tool Checks

This auditor checks for the algorithm confusion attack (alg:none), weak symmetric algorithms (HS256 on public APIs), missing expiry claims, and other OWASP JWT security guidance. The signature is NOT verified — for signature verification you need the secret/public key on your backend.

How it works
JWT Decoding and Security Audit
01JWT string

Three Base64url segments separated by dots: header.payload.signature

02Split & decode

Each segment is Base64url-decoded independently — no secret needed to read header or payload

03Parse JSON

Header: algorithm (alg) and token type. Payload: claims — sub, iss, aud, exp, iat, and custom fields

04Audit claims

Flag expired tokens (exp), insecure algorithms (none, HS256 on public APIs), missing aud/iss, and weak secrets

Spec: RFC 7519 (JWT), RFC 7515 (JWS), RFC 7518 (JWA)

Decoding is not verification. Anyone can decode a JWT — the header and payload are not encrypted, only signed. Never trust claims without verifying the signature.

Frequently Asked Questions

Keep learning

JWT Heist
Exploit JWT vulnerabilities in a timed challenge
Game
JWT Forgery Simulation
Forge tokens using alg:none and weak secrets
Simulation
JWT Security Checklist
Complete JWT hardening guide
Guide