I Built a JWT Decoder That Finds Vulnerabilities jwt.io

I Built a JWT Decoder That Finds Vulnerabilities jwt.io Misses — and It Runs Entirely in Your Browse

Every developer who works with authentication knows the ritual: you grab a JSON Web Token from the browser's DevTools, from a log, or from a curl response, and you paste it into jwt.io to see what's inside.

I've done it hundreds of times. But a few months ago, while auditing a microservice, I noticed something unsettling. I had just pasted a production-like token into jwt.io when I read the small print: "Signature verified with the server's public key."

The tool had sent my token to a remote backend. I had just leaked a real authentication token without thinking twice.

That was the moment I decided to build my own JWT decoder. One that never phones home. One that does more than just decode — it analyzes, explains, and warns you about dangerous configurations that could leave your API wide open.

The result is the DevToolbox JWT Decoder & Security Analyzer, a completely client-side tool that not only decodes tokens but scans them for 8+ security vulnerabilities in real time.

The Two Things jwt.io Never Told Me

jwt.io is excellent at one job: decoding a JWT and showing you the header, payload, and signature. But there are two enormous blind spots:

1. It sends your token to a server. The signature verification feature — one of the main reasons developers use it — requires a round-trip to the jwt.io backend. If you're working with tokens from staging or (God forbid) production, that's a data leak. Even if the token is short-lived, it still contains user identity and claims. You shouldn't have to trust a third party with that.
2. It doesn't analyze security. You can stare at the decoded payload all day and never notice that the alg claim is set to none — meaning the token has no cryptographic signature at all. jwt.io won't flag it. It won't tell you if the token is expired, if it's using a weak algorithm, or if it's vulnerable to the RS256/HS256 confusion attack. It just shows you JSON.

I wanted a tool that would do all of that silently, instantly, and without any network traffic.

What the DevToolbox JWT Decoder Does Differently

100% Client-Side by Design

The decoder runs entirely in JavaScript. Paste a token, and the analysis happens right there in your browser. You can disconnect your internet after loading the page — it still works. Your tokens never touch a server, ever. This is the foundation everything else is built on.

A Security Scanner That Thinks Like a Pentester

As soon as you paste a token, the tool runs a suite of checks, each with a severity rating and a plain-English explanation:

SeverityWhat it detects🔴 Criticalalg: none — no signature, anyone can forge claims🟠 HighRS256/HS256 algorithm confusion risk🟠 HighSensitive data in payload (passwords, keys, credit card numbers)🟡 MediumMissing expiration (exp claim)🟡 MediumToken valid for more than 30 days🟡 MediumNot yet valid (nbf in the future)🔵 LowMissing iat (issued at)🔵 InfoToken already expired

Each finding comes with a concrete fix recommendation. You can even export a JSON report for your security team or an audit trail.

A Visual Expiration Timeline

Instead of forcing you to mentally convert Unix timestamps, the tool draws a color-coded timeline: when the token was issued, when it expires, and where "now" falls. If the token is about to expire, it turns amber. If it's expired, it turns red. A live countdown shows exactly how much time is left.

Smart Input Normalization

You can paste a raw token, a Bearer prefix, an entire Authorization: Bearer ... header from curl, a cookie like jwt=..., or even a URL-encoded token. The tool strips the noise and decodes the core JWT automatically. No manual cleaning required.

Side-by-Side Comparison

When you're debugging token rotation — comparing an old access token with a refreshed one — the compare mode shows the security grades, expiration status, and claim differences with color-coded diffs. It's like a git diff for your JWTs.

A Payload Editor

Need to test how a small change in claims affects the encoded token? Edit the payload directly, and the tool re-encodes the header and payload instantly. The signature is deliberately invalidated and clearly marked — no false sense of security.

How It Stacks Up:

FeatureDevToolbox jwt.io

Decode header/payload✅ ✅Signature verification❌ (intentionally — keep your secret safe)✅ (sends token to server)Algorithm none detection✅❌Algorithm confusion detection✅❌Sensitive data scan✅❌Visual expiration timeline✅❌Token comparison mode✅❌Exportable security report✅❌Works fully offline✅❌

You might ask: "Why no signature verification?" Because the right place to cryptographically verify a token is your backend, using your secret key in a secure environment. Pasting a secret into a browser window — even a client-side one — is a dangerous habit. The tool shows the raw signature for manual inspection and clearly warns that it cannot be verified without the key.

A Concrete Example

Let's say I paste this token:

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJ1c2VyXzEyMzQ1IiwibmFtZSI6IkFsaWNlIERvZSIsImVtYWlsIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJyb2xlcyI6WyJ1c2VyIl0sImlhdCI6MTc0OTM3NjgwMCwiZXhwIjoxNzQ5NDYzMjAwfQ.

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJ1c2VyXzEyMzQ1IiwibmFtZSI6IkFsaWNlIERvZSIsImVtYWlsIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJyb2xlcyI6WyJ1c2VyIl0sImlhdCI6MTc0OTM3NjgwMCwiZXhwIjoxNzQ5NDYzMjAwfQ.

Within milliseconds, the tool tells me:

• 🔴 Critical: Algorithm none — this token has no signature at all.
• 🟡 Medium: No expiration — wait, actually it has exp, but it's in the past, so 🔵 Info: Token expired.
• ✅ All other checks pass.

jwt.io would just decode the header and payload. I'd have to manually notice that alg is none and mentally check the expiration timestamp. This tool surfaces everything instantly.

Part of a Growing Suite of Privacy-First Developer Tools

This JWT decoder is part of a larger project: DevToolbox, a collection of free, client-side tools for developers. The guiding principle is simple: if a tool can run in the browser, it should. No one should have to upload sensitive configuration, tokens, or credentials to a remote server just to format JSON or check an HTTP header.

Some other tools in the suite:

• 🎨 CSS Effects Generator — glassmorphism, neumorphism, keyframes, contrast checker
• 📡 HTTP Header Analyzer — security headers scoring with plain-English explanations
• ⏱ Universal Timestamp Converter — Unix, ISO, FILETIME, UUID v1/v7, ObjectID
• 🧹 SQL Formatter & Explainer — format, detect anti-patterns, convert between dialects

Every tool is free, requires no sign-up, and runs entirely in your browser.

Try It Yourself

The next time you need to inspect a JWT, give the DevToolbox JWT Decoder a try. It's faster, safer, and more informative than the status quo.

If you find a bug or have an idea for a new check, I'd love to hear about it. The project is actively maintained, and every suggestion helps make it better for the community.

Have you ever accidentally leaked a token to a third-party tool? What's your go-to workflow for JWT debugging? Let's discuss in the comments.