I use JWTs every day. Whether I'm debugging an authentication flow, inspecting an API response, or auditing a microservice, the first thing I do is copy the token and head to jwt.io.
It's the de facto standard. But it has two fundamental problems that bothered me enough to build an alternative.
- The Problem with jwt.io
It sends your token to a server.
The signature verification feature requires a round-trip to their backend. If you're working with production tokens (even if they're "just" test tokens from staging), that's a data leak waiting to happen. Many developers don't even realize this.It doesn't analyze security.
jwt.io decodes the header and payload. That's it. It won't tell you if your token is vulnerable to thealg: noneattack, if the RS256/HS256 algorithm confusion is possible, or if the token has been expired for three weeks. You're on your own for the security audit.
So I built DevToolbox JWT Decoder & Security Analyzer — a free, open tool that does everything client-side and adds a full security scanner on top.
What Makes It Different
100% Client-Side — Your Token Never Leaves Your Browser
No server, no API calls, no telemetry. The decoding, parsing, and analysis all happen in JavaScript. You can even disconnect your internet after the page loads — it still works. This is crucial when you're handling real tokens (even test ones) that could contain sensitive claims.Built-in Security Scanner (8+ Checks)
As soon as you paste a token, the tool runs a suite of checks against it:
| Severity | Check |
|---|---|
| Critical |
alg: none detected — token has no signature |
| High | Algorithm confusion (RS256 used with HS256) |
| High | Sensitive data in payload (passwords, secrets, credit card numbers) |
| Medium | No expiration claim |
| Medium | Very long expiration (> 30 days) |
| Medium | Token not yet valid (nbf in the future) |
| Low | Missing iat (issued at) |
| Info | Token already expired |
Each finding is explained in plain English, with a severity badge and a fix recommendation. You can even export a JSON report to share with your security team.
Visual Expiration Timeline
A color-coded progress bar shows the token's lifecycle: when it was issued, when it expires, and where "now" falls. If the token is about to expire, it turns amber; if it's expired, red. You also get a live countdown showing exactly how long until expiration.-
Smart Input Normalization
You can paste:- A raw JWT
-
Bearer eyJhbGci...(it strips the prefix automatically) - An
Authorization: Bearer ...header (copy-pasted from curl output) - A cookie value like
jwt=eyJ... - URL-encoded tokens (it decodes them first)
It just works.
Side-by-Side Token Comparison
Need to compare a refreshed access token with the old one? The compare mode shows the security grades, expiration status, and claim differences with color-coded diffs (added, removed, changed).Payload Editor
Edit claims directly in the browser, re-encode the token, and see how the header+payload change. The signature is deliberately invalidated (no secret provided) and clearly marked as such.
How It Compares to jwt.io
| Feature | DevToolbox | jwt.io |
|---|---|---|
| Decode header/payload | ✅ | ✅ |
| Signature verification | ❌ (intentionally — no secret needed) | ✅ (requires server round-trip) |
Algorithm none detection |
✅ | ❌ |
| Algorithm confusion detection | ✅ | ❌ |
| Sensitive data scan | ✅ | ❌ |
| Expiration timeline | ✅ | ❌ |
| Token comparison | ✅ | ❌ |
| Export report | ✅ | ❌ |
| Auto-strips Bearer prefix | ✅ | ❌ |
| Works offline | ✅ | ❌ (signature verification calls home) |
Why I Chose to Omit Signature Verification
You might wonder: "Why not add signature verification locally? Web Crypto API can do HMAC/RS256!"
The answer: you should never paste your secret key into a browser tool. Even if the tool is 100% client-side, the risk of shoulder surfing, accidental copy-paste, or a malicious browser extension is too high. The signature is displayed for manual inspection only. If you need to cryptographically verify a token, do it on your backend.
A Concrete Example
Let's say I paste this token:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJ1c2VyXzEyMzQ1IiwibmFtZSI6IkFsaWNlIERvZSIsImVtYWlsIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJyb2xlcyI6WyJ1c2VyIl0sImlhdCI6MTc0OTM3NjgwMCwiZXhwIjoxNzQ5NDYzMjAwfQ.
Within milliseconds, the tool tells me:
- 🔴 Critical: Algorithm
none* — this token has no signature at all. - 🟡 Medium: No expiration — wait, actually it has
exp, but it's in the past, so 🔵 Info: Token expired. - ✅ All other checks pass.
jwt.io would just decode the header and payload. I'd have to manually notice that alg is none and mentally check the expiration timestamp. This tool surfaces everything instantly.
The Bigger Picture
This JWT decoder is part of a larger suite of free developer tools I'm building, all 100% client-side. The philosophy is simple: if a tool can run in the browser, it should*. No one should have to upload their sensitive data to a server just to format JSON or check a header.
Some other tools in the suite:
- Visual Effects Generator (glassmorphism, neumorphism, keyframes)
- Universal Timestamp Converter (Unix, ISO, RFC, FILETIME, UUID decoding)
- HTTP Header Analyzer (security headers scoring and explanations)
- SQL Formatter & Explainer (formatting, anti-patterns, dialect conversion)
Try It Out
The JWT Decoder is completely free, no sign-up, no ads. If you find a bug or have a feature request, open an issue on the repo or reach out.
What's your go-to JWT debugging workflow? Have you ever been bitten by the alg: none vulnerability? Let me know in the comments!
Top comments (0)