JWT Token Analysis and Security Pitfalls
JSON Web Tokens (JWTs) are the standard for stateless authentication in modern APIs. A JWT has three Base64-encoded parts separated by dots: header, payload, signature. Decoding the first two parts is trivial and reveals the claims, algorithm, and expiry. Security issues lurk in how the token is generated, verified, and stored.
Try it now
JWT Decoder
Runs in your browser, nothing leaves your device.
The header's `alg` field: if it's 'none', the token has no signature at all. If it's HS256 but the server uses RSA, you might have an algorithm confusion vulnerability. The payload's claims: `exp` for expiry (is it reasonable?), `iat` for issue time, `sub` for subject, and any custom claims that might leak sensitive data. Check if the token contains PII, roles, or internal IDs that shouldn't be client-accessible.
Algorithm confusion: changing alg from RS256 to HS256 and signing with the public key. The alg:none attack: removing the signature entirely. Missing expiry: tokens that never expire remain valid forever if stolen. Sensitive data in claims: JWTs are encoded, not encrypted, so anyone can read the payload. Storing JWTs in localStorage makes them accessible to XSS attacks.
Examples
Decoded JWT payload
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0Iiwicm9sZSI6ImFkbWluIiwiZXhwIjoxOTk5OTk5OTk5fQ
{"sub":"1234","role":"admin","exp":1999999999} - Expires in 2033, admin role in payload
Security context
JWTs are not encrypted, they're just Base64. Never put secrets, passwords, or sensitive PII in JWT claims. Anyone who intercepts the token can read everything in it. The signature only guarantees the claims haven't been tampered with, it doesn't hide them.
Frequently asked
In an HttpOnly, Secure cookie with SameSite=Lax. This makes the token inaccessible to JavaScript (preventing XSS theft) and ensures it's only sent over HTTPS. Avoid localStorage and sessionStorage, as they're accessible to any JavaScript running on the page.
Related techniques
SAML Response Decoding and SSO Security
Decode Base64-encoded SAML responses and assertions. Inspect issuer, audience, conditions, and authentication context in SSO flows.
Base64 Decoding
How to decode Base64-encoded payloads found in malware, phishing kits, and obfuscated scripts. Detect hidden URLs, credentials, and executable code.
Cookie Security Flags: Secure, HttpOnly, SameSite
Audit cookie security attributes. Detect session cookies missing Secure, HttpOnly, or SameSite flags that enable session hijacking and CSRF attacks.