How I built a Zero-Trust JWT Inspector that runs entirely in the browser

bruce way — Mon, 13 Apr 2026 07:00:13 +0000

If you are a web developer, you've probably done this hundreds of times:

you copy a JWT from your network tab, paste it into a site like jwt.io, look at the JSON payload, and move on.

But there are two massive problems with this workflow:

Security/Privacy: Are you really pasting production tokens (which might contain sensitive data) into a random third-party website?
Blind Spots: Simply looking at decoded JSON doesn't tell you if your authentication implementation is actually secure.

I wanted a tool that acts like an aggressively paranoid security reviewer—a tool that actively looks for vulnerabilities. More importantly, I wanted a tool that guarantees my tokens never leave my machine.

So, I built the JWT Zero-Trust Inspector, an open-source JWT auditing tool that runs 100% locally in your browser. Here is how and why I built it.

The Problem: Decoding vs. Auditing

Most JWT tools are just Base64 decoders. They assume trust. But in a Zero-Trust architecture, we must assume the token is potentially malicious or deeply misconfigured.

I wanted to catch common "footguns" that developers miss during implementation. I mapped out the core vulnerabilities I wanted to detect:

Algorithm Exploits: The infamous alg: 'none' vulnerability, or asymmetric/symmetric key confusion attacks.
Lifecycle Mismanagement: Tokens missing expiration (exp) or Not-Before (nbf) claims, or tokens issued with a lifespan of 10 years (we've all seen it).
Data Leaks: PII (Personally Identifiable Information) like emails or SSNs baked into the unencrypted payload.
Revocation Failures: Missing jti (JWT ID) claims, making it impossible to invalidate the token if compromised.

The Architecture: Why Browser-Only?

When dealing with security tokens, the golden rule is: Don't send it to a server unless you have to.

I decided to build the inspector using a client-side-only architecture
(using modern JavaScript and the Web Crypto API where necessary).

By keeping everything in the browser:

Zero Latency: Analysis is instant.
Total Privacy: There is no backend API receiving your tokens. No server logs, no
database, no risk of interception. You can safely paste a production
token into the UI, turn off your Wi-Fi, and it will still audit it
perfectly.
Easy Portability: Because the core logic is pure JavaScript, I was easily able to extract the auditing engine into a CLI tool and a library that can run in CI/CD pipelines!

How the Engine Works Under the Hood

Instead of just running JSON.parse(atob(payload)), the engine applies a series of static analysis rules to the token's Header and Payload components.

For example, detecting an overly long lifespan is a simple but effective check:

// Simplified example of the audit logic
function checkLifespan(payload) {
  if (!payload.iat || !payload.exp) return 'Missing timeline claims';

  const lifespanInHours = (payload.exp - payload.iat) / 3600;
  if (lifespanInHours > 24) {
    return `Warning: Token lifespan is suspiciously long (${lifespanInHours} hours). Consider short-lived tokens + refresh tokens.`;
  }
  return 'Pass';
}

By chaining dozens of these rules together, the tool builds a
comprehensive "Security Report Card" for your token in milliseconds.

What's Next?

Building this has been a great dive into the dark corners of web authentication.
I've open-sourced the entire project under the MIT license because I believe proactive JWT validation should be standard practice, not an afterthought.

You can check out the live (browser-only) version here:
https://jwt-inspector.pages.dev/

I'd love your feedback!
If you are a backend dev or security researcher, what are some of the worst JWT misconfigurations you've seen in the wild? Drop them in the comments, and I might write a rule to catch them!

DEV Community: bruce way

How I built a Zero-Trust JWT Inspector that runs entirely in the browser

The Problem: Decoding vs. Auditing

The Architecture: Why Browser-Only?

How the Engine Works Under the Hood

What's Next?