Documentation & Learning Resources
Back to Tool

JWT Decoder & Analyzer Tool Guide

Tool Guide Reading time: 5 min

The JWT Decoder & Analyzer is the core tool in JWTAuditor that allows you to inspect and analyze JWT tokens for security vulnerabilities. This guide will help you understand how to use this tool effectively.

JWT Decoder & Analyzer Screenshot
JWT Decoder & Analyzer interface

Features

  • Decode JWT tokens to view header, payload, and signature
  • Comprehensive security analysis with severity ratings
  • Identify weak algorithms (none, HS256) and deprecated cryptography
  • Detect algorithm confusion vulnerabilities
  • Check for missing or weak claims
  • Verify expiration and issuance times
  • Identify sensitive data and PII in payload
  • Detect potential SQL injection, path traversal, and command injection in header parameters
  • Analyze signature strength and validity
  • Identify tokens vulnerable to bruteforce attacks
  • Direct integration with Secret Bruteforcer for testing weak secrets
  • Security summary with actionable recommendations

How to Use

Step 1: Enter a JWT Token

In the main interface, locate the "Decoder" tab and enter your JWT token in the input field. You can paste a token from your clipboard or type it manually.

Tip: JWT tokens typically follow the format xxxxx.yyyyy.zzzzz where each part is Base64Url encoded.

Step 2: Decode the Token

Click the "Decode" button to process the token. The tool will automatically:

  • Split the token into its three parts (header, payload, signature)
  • Decode the Base64Url encoded header and payload
  • Display the decoded JSON in a readable format

Step 3: Review the Decoded Information

The decoded information will be displayed in three sections:

  • Header: Contains metadata about the token type and signing algorithm
  • Payload: Contains the claims (data) stored in the token
  • Signature: The cryptographic signature that verifies the token's authenticity

Step 4: Analyze for Vulnerabilities

After decoding, the tool automatically analyzes the token for common security issues. The analysis results will be displayed in the "Analysis" section, categorized by severity:

  • High: Critical security issues that should be addressed immediately
  • Medium: Important security concerns that should be reviewed
  • Low: Minor issues or best practice recommendations
  • Info: Informational notes about the token

Understanding the Analysis

Security Summary

The tool now provides a comprehensive security summary at the top of the analysis:

  • Issue Count by Severity: Visual breakdown of high, medium, low, and info-level issues
  • Overall Security Assessment: Quick assessment of the token's security posture
  • Actionable Recommendation: Clear guidance on what to do next based on findings

Algorithm Analysis

The tool checks the algorithm specified in the header and flags potential issues:

  • None Algorithm: High severity - The token uses the "none" algorithm, which means no signature verification is performed
  • Weak Algorithm: Medium severity - The token uses a potentially weak algorithm like HS256 with a short key
  • Algorithm Confusion: Medium severity - The token might be vulnerable to algorithm confusion attacks
  • Insecure Algorithm: High severity - The token uses a cryptographically insecure algorithm
  • Missing Signature: High severity - The token claims to use a signature algorithm but has no signature

Claims Analysis

The tool examines the claims in the payload:

  • Missing Expiration: High severity - The token doesn't have an expiration time (exp claim)
  • Token Expired: Medium severity - The token has already expired
  • Long Token Lifetime: Medium severity - The token has an unusually long lifetime
  • Token Not Yet Valid: Medium severity - The token's nbf (not before) claim indicates it's not yet valid
  • Missing Recommended Claims: Medium severity - The token is missing important claims (sub, iss, aud, jti, iat)
  • Empty Claims: Low severity - The token contains claims with empty values
  • Overly Generic Audience: Medium severity - The audience claim is too generic to provide proper security
  • Multiple Audiences: Low severity - The token has an unusually high number of audiences

Data Analysis

The tool scans the payload for potentially sensitive information:

  • Sensitive Data: High severity - The token contains what appears to be sensitive data (passwords, keys, etc.)
  • PII in Payload: Medium severity - The token contains personally identifiable information
  • Large Payload: Low severity - The token payload is unusually large, which could impact performance

Signature Analysis

The tool analyzes the signature for potential weaknesses:

  • Suspiciously Short Signature: High severity - The signature is shorter than expected for the algorithm
  • Potentially Weak Signature: Medium severity - The signature length suggests a weak secret may have been used
  • Potential Bruteforce Vulnerability: Medium severity - The token uses a symmetric algorithm that could be vulnerable to bruteforcing

Header Parameter Analysis

The tool checks header parameters for potential injection vulnerabilities:

  • Potential SQL Injection in kid Header: High severity - The kid parameter contains characters that might be used for SQL injection
  • Potential Path Traversal in kid Header: High severity - The kid parameter contains directory traversal sequences
  • Potential Command Injection in kid Header: High severity - The kid parameter contains characters that might be used for command injection

Attack Vulnerability Analysis

The tool identifies potential attack vectors:

  • Replay Attack Vulnerability: Medium severity - The token lacks a JWT ID and has a long expiration time
  • Missing JWT ID: Low severity - The token doesn't have a JWT ID (jti claim), making token revocation difficult
  • Potentially Weak JWT ID: Low severity - The JWT ID may not have sufficient randomness or uniqueness

Example Analysis

Vulnerable Token Example

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.

Analysis results:

Security Analysis Summary

2 High
1 Medium
1 Low
Critical security issues detected!

This token has serious security vulnerabilities that should be addressed immediately.

None Algorithm Detected

Severity: High

Description: This token uses the 'none' algorithm, which means no signature verification is performed.

Recommendation: Reject tokens with the 'none' algorithm and implement proper signature verification.

No Expiration

Severity: High

Description: The token does not have an expiration time (exp claim), making it valid indefinitely.

Recommendation: Always include an expiration time in your JWTs to limit their lifetime and reduce the impact of token theft.

Missing Recommended Claims

Severity: Medium

Description: The JWT is missing recommended claims: iss (issuer), aud (audience), jti (JWT ID).

Recommendation: Include these claims to improve security and prevent token misuse, replay attacks, and audience confusion.

Missing JWT ID

Severity: Low

Description: The token does not have a JWT ID (jti claim), which makes it harder to implement token revocation.

Recommendation: Include a unique jti claim to enable token revocation and prevent replay attacks.

Symmetric Algorithm Token Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Analysis results:

Security Analysis Summary

0 High
2 Medium
1 Info
Security improvements needed

This token has security issues that should be addressed to improve its security posture.

Potentially Weak Algorithm

Severity: Medium

Description: The JWT uses HS256, which may be vulnerable if a weak secret is used.

Recommendation: Consider using a stronger algorithm like HS384, HS512, or an asymmetric algorithm (RS256, ES256).

Potential Bruteforce Vulnerability

Severity: Medium

Description: This JWT uses a symmetric algorithm (HS*) which could be vulnerable to secret bruteforcing if a weak secret was used.

Recommendation: Use a strong, high-entropy secret key (at least 32 random bytes) and consider using the Secret Bruteforcer tool to test your token against common secrets.

Bruteforce Testing Recommended

Severity: Info

Description: You should test this token with the Secret Bruteforcer tool to check if it uses a weak secret.

Recommendation: Click on the "⚡ Secret Bruteforce" tab to test this token against common secrets and wordlists.

This token uses a symmetric algorithm (HS*) and could be tested for weak secrets

Secure Token Example

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjIsImlzcyI6ImF1dGguc2VydmljZS5jb20iLCJhdWQiOiJhcGkuc2VydmljZS5jb20iLCJqdGkiOiI3MzkyZjdmOC01MGFmLTQ3MzYtOTg3Ni0zYzBlNDQ3MjgwZmQifQ.signature

Analysis results:

Security Analysis Summary

0 High
0 Medium
0 Low
No issues detected

This token appears to follow security best practices.

No Vulnerabilities Detected

No obvious security issues were found in this JWT.

This token uses a strong algorithm (RS256) and includes all recommended claims (sub, iat, exp, iss, aud, jti).

Note: This does not guarantee the token is secure. Always follow best practices for JWT handling.

Next Steps

After analyzing a token, you might want to:

  • For tokens using symmetric algorithms (HS256, HS384, HS512), click the "Test for Weak Secret" button to automatically transfer the token to the Secret Bruteforcer tool
  • Use the JWT Editor to modify the token and test for vulnerabilities
  • Learn more about the specific vulnerabilities in the JWT Vulnerabilities Guide
  • Review the security recommendations and address any identified issues in your JWT implementation
Direct Integration: When a token using a symmetric algorithm (HS*) is detected, the analyzer will automatically provide a "Test for Weak Secret" button that transfers the token to the Secret Bruteforcer tool with a single click.

Related Tools

Secret Bruteforcer JWT Editor