Show HN: Jwt.is – JSON Web Token Debugger
Like most developers, we've used jwt.io for years, but it lacks a number of useful features that would make it even more convenient. We're building on the shoulders of those who've come before us. :-)
In addition to the basic JWT decoding and signature verification, we've added things like: - Verification using JWK endpoints - Locally stored history of tokens and keys - Verification for EdDSA signatures - Detection of common token providers (e.g., Google, Apple, etc) - Dark mode!
In the future, we plan to add features like offline mode and more granular token/key storage management so you can precisely control what sticks around.
Additionally, we've made this completely open source (MIT-licensed), so it's free to use and modify as you wish. And of course, contributions are always welcomed!
Let us know what you think!
26 comments
[ 3.4 ms ] story [ 57.0 ms ] threadThis is like an afternoon of work, and it's more or less a carbon copy of the existing tools. No one will care about any of the features you are describing. How much time do you think people spend on debugging JWTs?
Then you also went and added AI integration of all things. This lets me wait 10 seconds to let GPT tell the definitions for each part of the JWT, which don't change. You could have just replaced it with a map from the claims to their purpose as defined by the RFC(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). Not to mention how unfathomably silly it is to talk about security and whatnot and then just send people's JWTs off to some third party.
Seems fair, TBH. The AI recommends "Rownd", which it has clearly been programmed to do.
> Solutions like Rownd can assist by simplifying and securing JWT management, ensuring that developers can focus on building their applications with increased efficiency and security.
But this was also more about scratching an itch that we had internally where similar tools didn't support all of the features we wanted them to. So, we wrote our own.
Thanks for checking it out!
Yeah, that's lost on me. Why not embed it as a string? Seems quite lazy, as the current solution would presumably eat up all their OpenGPT credits.
That, and I would have preferred an explainer from someone who understands JWT. Another obvious disadvantage of using AI is that the response can change over time, so it has the potential to hallucinate.
> This is like an afternoon of work, and it's more or less a carbon copy of the existing tools. No one will care about any of the features you are describing. How much time do you think people spend on debugging JWTs?
This seems a bit dismissive, though. Let's see how many people use it before making broad judgements like that. It comes across as rude and unnecessary.
One of the biggest gaps with the current implementation is lack of support for JWKs. We wanted to support that. Also, dark mode. It's the little things.
For the record, no tokens are ever sent anywhere. Everything stays local to the browser. If you hit the "GPT" button, it just transmits the payload--nothing else. That part is definitely a fun experiment. It's more "useful" with more complex payloads. But it may not stick around long-term. We'll see.
But the ChatGPT button seems highly unnecessary. It doesn't seem to do anything a madlibs style fill in the blank template couldn't do in milliseconds.
Yeah, the GPT stuff was just a fun easter egg. :-D
I do like how you can paste the JWK URL for validation, not seen that elsewhere.
Furthermore, if you enter the wrong key (just made a key on jwt.io, copied it into here, and entered the wrong key), it still says the signature is verified.