// free security tool
JWT Security Auditor
Paste a JSON Web Token and get an instant security audit. The JWT Security Auditor checks the algorithm, signature configuration, claims, and expiry for the weaknesses attackers actually exploit — and explains how to fix each one. Analysis runs locally on the server in memory; your token is never stored, logged, or transmitted.
Run the free JWT audit → Unlock Pro (100/mo)
What the JWT audit checks
- Algorithm risks —
alg=none, HS/RS algorithm confusion, and weak or deprecated algorithms. - Signature configuration — missing verification,
kidandjkuheader injection surface. - Claims hygiene — missing or excessive expiry (
exp),nbf/iatissues, audience and issuer gaps. - Secret strength signals — short or guessable HMAC secret indicators.
How to read the results
Each finding is labelled by severity and mapped to the underlying weakness, with a one-line remediation. Treat critical and high findings (signature bypass, missing expiry) as blockers before shipping.
Common fixes
- Pin a single expected algorithm server-side; never trust the token header to choose it.
- Always set a short
expand validateissandaud. - Use a long, high-entropy secret for HMAC, or asymmetric keys with strict key handling.
Frequently asked questions
Is it safe to paste a token here?
Yes. The token is parsed in memory to produce the report and is never stored, logged, or sent to any third party. Still, treat production tokens as secrets and revoke anything you paste publicly.
What is the alg=none vulnerability?
If a server accepts a JWT with the algorithm set to none, the signature is not verified and an attacker can forge any token. The auditor flags this and any algorithm-confusion risk.
Does this verify my signature?
It inspects the token structure, header, claims, and configuration. It does not require your secret key; it flags weak or missing verification settings rather than brute-forcing keys.
What is the difference between free and Pro?
Free covers 1 audit per month with the core checks. Pro raises the limit to 100 per month with saved history and exportable reports.