/ labSecurity · Tools

JWT decoder + vulnerability checks

Decodes a JWT in the browser (never sent over the wire) and surfaces the usual security gotchas: alg=none acceptance, missing exp / nbf, very short HMAC secrets, kid header weirdness, and the RS256→HS256 confusion vector. Token never leaves your tab.

stackreact

JWT

Decoded in your browser. Nothing is sent to any server.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1700000000,
  "exp": 4086736000,
  "iss": "https://example.com"
}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Findings (1)

warnVery long expiry
exp is 73.2 years from now. Long-lived JWTs are hard to revoke.