
JWT (JSON Web Token) debugger - tosh
https://jwt.io
======
eranation
If you want to avoid pasting tokens in online tools (right now it looks like
they don't send out / record anything, but as a general practice, pasting
sensitive tokens in online tools is probably not the best idea)

Then this one liner in the browser console can be used for most purposes:

    
    
      JSON.stringify(JSON.parse(atob(TOKENHERE.split('.')[1])), null, 2);

~~~
csours
> JSON.stringify(JSON.parse(atob(TOKENHERE.split('.')[1])), null, 2);

Non-code version for mobile users.

My contribution: a bookmarklet I use to copy JWTs from my internal sites to
the clipboard. Replace jwt_name with your name

javascript: (function() { var textArea = document.createElement("textarea");
textArea.value = window.sessionStorage.jwt_name;
document.body.appendChild(textArea); textArea.select();
document.execCommand('copy'); document.body.removeChild(textArea); })();

------
teajunky
Looking into the page inspector shows 165 http requests on the start page. It
includes ads, tracker and analystics from multiple sources (google, twitter,
linkedin, facebook etc).

Can anyone sugguest an (offline?) alternative?

I used jwt.io a lot for debugging and it's great. Currently it is decoding the
tokens on the client but I am not sure if I should continue using it.

A hacker could take over the site and capture thousands of access tokens and
some are valid for multiple days.

Edit: Installing uBlock origin reduces the number of requests down to 67 but I
still see the analytics stuff from google and twitter.

~~~
capableweb
The website source is here:
[https://github.com/jsonwebtoken/jsonwebtoken.github.io](https://github.com/jsonwebtoken/jsonwebtoken.github.io)

I've been running a local copy since last year sometime, when the website went
down when I needed it. I've also stripped away all the annoying things from
the website to just get the debugger. Very easy to do!

~~~
teajunky
Thanks. I once searched for it but only found some used libraries.

~~~
capableweb
Yeah, Auth0 is doing a good job hiding it, seems they are not super hyped
about the website being open source.

~~~
guptaneil
What makes you think that? There's a link in jwt.io's footer to the GitHub
repo.

------
StavrosK
I'd like to mention here that PASETO is a safer JWT alternative:

[https://github.com/paragonie/paseto](https://github.com/paragonie/paseto)

~~~
itake
For the uninitiated:

> Unlike JSON Web Tokens (JWT), which gives developers more than enough rope
> with which to hang themselves, Paseto only allows secure operations. JWT
> gives you "algorithm agility", Paseto gives you "versioned protocols". It's
> incredibly unlikely that you'll be able to use Paseto in an insecure way.

~~~
StavrosK
Thank you, sorry, I probably should have included that.

------
minhajuddin
A neat thing about this is that it doesn't send your tokens over the wire
which is good security-wise :)

~~~
tosh
With similar web apps (e.g. hashing of passwords) I was thinking it would be
great to be able to show to the user that this web page can't send data
anywhere once it is loaded

(I understand that this might be tricky or even impossible (?) to ensure in
browsers but it would be interesting to be able to give and prove guarantees
like that to the user)

~~~
csours
In the developer console, I can disable the internet connection for a tab. I
wonder if that could be leveraged somehow.

I think it might take quite a few changes though. Very interesting idea.

------
zshift
I’ve been using this for debugging tokens in my shell. It’s convenient when
using curl or httpie to just grab the auth header and pipe it.
[https://github.com/mike-engel/jwt-cli](https://github.com/mike-engel/jwt-cli)

------
soulchild37
Bless this debugger, saved me so much time when implementing Sign in with
Apple

~~~
simonmales
Within my team I call this the best website in the world.

------
loginatnine
Good to know : You can only paste parts of the token and it will decode it
without any problem. I always leave the signature part out of it when I use
this tool.

~~~
jaywalk
Just curious, why do you leave the signature out?

~~~
Deathmax
If you have concerns that the page might steal the tokens, leaving out the
signature if you're not trying to debug it prevents a valid token from
touching the site.

------
BeyondLimits99
If you're using JWTs for authentication.

It's considered insecure to store them in local storage for XSS etc

Where / how are you storing them locally for headless apps?

------
lucis
It's usually the first place I go to check base64 or other cryptic information

------
polote
I'm always amazed on which content show up on the front page, there is
currently a 15 minutes window on /newest and the most upvoted article is about
a page which doesn't really bring anything new, humm

~~~
scrollaway
You should see the comments.

~~~
polote
I you want more info on JWT there is :

[https://news.ycombinator.com/item?id=21783303](https://news.ycombinator.com/item?id=21783303)
6 month ago 227 comments (first comment by dang referencing all the other
posts)

[https://news.ycombinator.com/item?id=22354534](https://news.ycombinator.com/item?id=22354534)
3 months ago 166 comments

and a bunch of other discussions:
[https://hn.algolia.com/?q=jwt](https://hn.algolia.com/?q=jwt)

------
rvz
So which one is a JWT hackers?

    
    
      A) v1.local.CuizxAzVIz5bCqAjsZpXXV5mk_WWGHbVxmdF81DORwyYcMLvzoUHUmS_VKvJ1hn5zXyoMkygkEYLM2LM00uBI3G9gXC5VrZCUM-BLZo1q9IDIncAZTxYkE1NUTMz
    
      B) eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhpIEhhY2tlciBOZXdzIiwiaWF0IjoxNTE2MjM5MDIyfQ.IlIR9_imqGCgEVG_QUb4LhDwSeNhYc50t3Ij5x126scVNJFQqCveblmHx__tqjaI
    
      C) ATkJzynwvPlX6PxBU5BO5xa96S6vymIbmIZnk9og7KxhLHqYLoneLK6WTkyyuGFk7uWZZUnQFVTaThmHzFvaf
    
      D) gAAAAABezWTi-jcq7zlfBaR0vGUy-B9WJ_3lL6S48JO7t9LiW4283zOqBAJvJZEAvusn7OKpgyyoPp2p7okVE4TQfYuihDou67vOHH6G0zqdQz0_1NLvSTM=
    

If you know which one it is straightaway, then it is the worst choice out of
all of them, (because it is not encrypted by default). I would chose the least
obvious one here.

~~~
guessmyname
You can recognize JWTs without decoding by checking the string format:

JSON Web Tokens follow this format → ALGO+TokenType.Payload.Signature

So obviously the only valid JWT in your question is “B”.

    
    
        B) eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9
           .
           eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6
           IkhpIEhhY2tlciBOZXdzIiwiaWF0IjoxNTE2
           MjM5MDIyfQ
           .
           IlIR9_imqGCgEVG_QUb4LhDwSeNhYc50t3Ij
           5x126scVNJFQqCveblmHx__tqjaI
    

But this does not matter because you are not supposed to decode random strings
expecting them to be JSON Web Tokens. That would be as stupid as assuming that
any 32-bytes string is MD5 or any 40-bytes string is SHA1, etc. You either
know what your input’s format is or you do not in which case you should not
even attempt to decode it because it clearly is not a valid input.

~~~
RagingCactus
And another party trick: Base64-encoded JSON objects always start with "ey".

