NeoShield Security logo NeoShield Security Quantum X

// tool reference · Vulnerability & Assessment

JWT Security Auditor Free

Decode and audit a JSON Web Token for weak settings.

Open JWT Security Auditor → Engine: /security-tools/jwt_auditor


What it does

Decodes a JSON Web Token and audits it for the weaknesses most scanners only flag superficially: alg=none and algorithm confusion, weak HMAC sizing, missing or over-long expiry, nbf/iat sanity, audience/issuer gaps, sensitive claims leaked into the payload, and header-injection surface (kid, jku, x5u, x5c).

When to use it

Inputs

Field names are the actual form parameters, verified against source.

FieldTypeRequiredNotes
jwt textarea required The token. Your signing secret is NEVER requested.

What you get back

Decoded header and claims, plus ranked findings.

Worked example

Input

eyJhbGciOiJub25lIn0.eyJhZG1pbiI6dHJ1ZX0.

Output (abridged)

CRITICAL  alg = none
          The token declares no signature. Any server honouring this
          header accepts a payload the client wrote — here, admin=true.
          → Pin an explicit algorithm allow-list server-side.
            NEVER take the algorithm from the token header.

HIGH      No 'exp' claim — the token never expires.
MEDIUM    Sensitive claim in payload: 'admin' is authorisation state
          in a client-readable blob (base64 is not encryption).

How it works

Entirely local. The token is parsed in memory and the signature is never verified against any secret — no secret is ever asked for, so none can leak. It audits configuration, it does not crack keys.

Privacy

Nothing is stored or logged. The token stays in memory.

Standards

RFC 7519RFC 8725 (JWT BCP)OWASP API Security

Related tools

← All tools Manual home