// tool reference · Vulnerability & Assessment
JWT Security Auditor Free
Decode and audit a JSON Web Token for weak settings.
Open JWT Security Auditor → Engine: /security-tools/jwt_auditor
What it does
Decodes a JSON Web Token and audits it for the weaknesses most scanners only flag superficially: alg=none and algorithm confusion, weak HMAC sizing, missing or over-long expiry, nbf/iat sanity, audience/issuer gaps, sensitive claims leaked into the payload, and header-injection surface (kid, jku, x5u, x5c).
When to use it
- Reviewing an auth implementation; triaging a token from a bug report.
Inputs
Field names are the actual form parameters, verified against source.
| Field | Type | Required | Notes |
|---|---|---|---|
| jwt | textarea | required | The token. Your signing secret is NEVER requested. |
What you get back
Decoded header and claims, plus ranked findings.
Worked example
Input
eyJhbGciOiJub25lIn0.eyJhZG1pbiI6dHJ1ZX0.
Output (abridged)
CRITICAL alg = none
The token declares no signature. Any server honouring this
header accepts a payload the client wrote — here, admin=true.
→ Pin an explicit algorithm allow-list server-side.
NEVER take the algorithm from the token header.
HIGH No 'exp' claim — the token never expires.
MEDIUM Sensitive claim in payload: 'admin' is authorisation state
in a client-readable blob (base64 is not encryption).
How it works
Entirely local. The token is parsed in memory and the signature is never verified against any secret — no secret is ever asked for, so none can leak. It audits configuration, it does not crack keys.
Privacy
Nothing is stored or logged. The token stays in memory.
Standards
RFC 7519RFC 8725 (JWT BCP)OWASP API Security