LET'S TALK
← All work
Security ToolComplianceWeb CryptoOfflineDeep Prototype

JWT Workbench — Offline JWT Security Inspector

Paste any JWT and see every claim, every signature, and the security issues an attacker would find first. Brute-forces 12 common weak secrets in-browser via Web Crypto. Nothing leaves the page.

JWT Workbench — Offline JWT Security Inspector preview
Open live →

What it is

A JWT inspector that doesn’t just decode — it audits. Paste any token and the tool:

  • Decodes header, payload, and signature with syntax highlighting
  • Runs 12 well-known weak secrets against the signature via Web Crypto (secret, password, changeme, your-256-bit-secret, admin, etc.) — if any one matches, the token is forgeable
  • Flags alg: none, missing typ, suspicious kid, missing aud/iss/sub claims
  • Detects expired tokens, long-lived tokens (>1 year TTL), and clock-skew-future iat
  • Identifies over-scoped permissions (any role matching admin, root, super, *)
  • Renders an expiry timeline (iatnbfnowexp)
  • Verifies HS256/384/512 signatures in-browser against any user-provided secret

Why it’s a deep prototype, not a mockup

Five demo tokens are pre-loaded, each crafted to exercise a specific failure mode:

  1. HS256 demo — strong-secret signed, near-future expiry. Baseline pass.
  2. alg: none — the unsigned variant that tricks naive verifiers into trusting the payload.
  3. Weak secret 'secret' — actually signed with the literal string 'secret'. The tool’s brute-force loop catches it.
  4. Expiredexp 2 hours in the past. Tool computes “X hr ago.”
  5. Over-scoped adminroles: ['admin','super_admin','system_root'], permissions: ['*']. Tool flags the elevation.

Every demo runs through real Web Crypto. The weak-secret check is not pattern-matching on the string 'secret' in the JWT — it computes HMAC-SHA256(header.payload, candidate) and compares to the actual signature bytes.

Why this matters in regulated contexts

JWT misconfigurations are one of the most common pre-prod findings in SOC2 and HIPAA audits I’ve reviewed. The pattern is always the same: a developer pastes a token into jwt.io to debug a 401, then forgets the token-handling story. The audit asks for the policy. There isn’t one.

This tool is the lightweight version of that policy — designed so an engineer can verify, in 30 seconds, before the audit starts, that the token they just minted isn’t going to get them written up.

How it ships

Single HTML file, ~17KB. Zero dependencies. Zero network calls. Zero cookies. Works in airplane mode. The expiry timeline, syntax highlighting, brute-force loop, and HMAC verification are all 380 lines of vanilla JavaScript.

Open the tool →