If you are a web developer, you've probably done this hundreds of times:
you copy a JWT from your network tab, paste it into a site like jwt.io, look at the JSON payload, and move on.
But there are two massive problems with this workflow:
Security/Privacy: Are you really pasting production tokens (which might contain sensitive data) into a random third-party website?
Blind Spots: Simply looking at decoded JSON doesn't tell you if your authentication implementation is actually secure.
I wanted a tool that acts like an aggressively paranoid security reviewer—a tool that actively looks for vulnerabilities. More importantly, I wanted a tool that guarantees my tokens never leave my machine.
So, I built the JWT Zero-Trust Inspector, an open-source JWT auditing tool that runs 100% locally in your browser. Here is how and why I built it.
The Problem: Decoding vs. Auditing
Most JWT tools are just Base64 decoders. They assume trust. But in a Zero-Trust architecture, we must assume the token is potentially malicious or deeply misconfigured.
I wanted to catch common "footguns" that developers miss during implementation. I mapped out the core vulnerabilities I wanted to detect:
Algorithm Exploits: The infamous alg: 'none' vulnerability, or asymmetric/symmetric key confusion attacks.
Lifecycle Mismanagement: Tokens missing expiration (exp) or Not-Before (nbf) claims, or tokens issued with a lifespan of 10 years (we've all seen it).
Data Leaks: PII (Personally Identifiable Information) like emails or SSNs baked into the unencrypted payload.
Revocation Failures: Missing jti (JWT ID) claims, making it impossible to invalidate the token if compromised.
The Architecture: Why Browser-Only?
When dealing with security tokens, the golden rule is: Don't send it to a server unless you have to.
I decided to build the inspector using a client-side-only architecture
(using modern JavaScript and the Web Crypto API where necessary).
By keeping everything in the browser:
Zero Latency: Analysis is instant.
Total Privacy: There is no backend API receiving your tokens. No server logs, no
database, no risk of interception. You can safely paste a production
token into the UI, turn off your Wi-Fi, and it will still audit it
perfectly.Easy Portability: Because the core logic is pure JavaScript, I was easily able to extract the auditing engine into a CLI tool and a library that can run in CI/CD pipelines!
How the Engine Works Under the Hood
Instead of just running JSON.parse(atob(payload)), the engine applies a series of static analysis rules to the token's Header and Payload components.
For example, detecting an overly long lifespan is a simple but effective check:
// Simplified example of the audit logic
function checkLifespan(payload) {
if (!payload.iat || !payload.exp) return 'Missing timeline claims';
const lifespanInHours = (payload.exp - payload.iat) / 3600;
if (lifespanInHours > 24) {
return `Warning: Token lifespan is suspiciously long (${lifespanInHours} hours). Consider short-lived tokens + refresh tokens.`;
}
return 'Pass';
}
By chaining dozens of these rules together, the tool builds a
comprehensive "Security Report Card" for your token in milliseconds.
What's Next?
Building this has been a great dive into the dark corners of web authentication.
I've open-sourced the entire project under the MIT license because I believe proactive JWT validation should be standard practice, not an afterthought.
You can check out the live (browser-only) version here:
https://jwt-inspector.pages.dev/
I'd love your feedback!
If you are a backend dev or security researcher, what are some of the worst JWT misconfigurations you've seen in the wild? Drop them in the comments, and I might write a rule to catch them!
Top comments (0)