JWT Token Debugging and Security Analysis

What is a JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are digitally signed, which ensures that the claims cannot be altered after the token is issued.

JWT Structure

A JWT consists of three parts separated by dots (.):

header.payload.signature

1. Header

Contains metadata about the token, including the signing algorithm:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

Contains the claims (statements about an entity and additional data):

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

3. Signature

Verifies that the message hasn't been changed along the way:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

How to Debug JWT Tokens

1. Decode the Token

The header and payload are base64url encoded, not encrypted. You can easily decode them to inspect the contents. However, never trust the contents without verifying the signature.

2. Verify the Signature

Always verify the signature before trusting the token's contents. The signature ensures that:

• The token was issued by a trusted party
• The token hasn't been tampered with
• The token is authentic

3. Check Claims

Common JWT claims to validate:

• iss (Issuer): Verify the token was issued by expected authority
• sub (Subject): Identify who the token refers to
• aud (Audience): Ensure token is intended for your application
• exp (Expiration): Check if token has expired
• nbf (Not Before): Verify token is being used after valid time
• iat (Issued At): Check when token was created

Common JWT Security Issues

1. Algorithm Confusion Attack

Attackers may try to change the algorithm from RS256 (asymmetric) to HS256 (symmetric) to forge tokens. Always explicitly specify and verify the expected algorithm.

2. None Algorithm

Some libraries accept "none" as a valid algorithm, which means no signature verification. Never accept unsigned tokens in production.

3. Weak Secrets

Using weak or predictable secrets for HMAC algorithms makes tokens vulnerable to brute force attacks. Always use strong, randomly generated secrets.

4. Token Storage

Storing JWTs in localStorage makes them vulnerable to XSS attacks. Consider using:

• HttpOnly cookies for web applications
• Secure storage mechanisms in mobile apps
• Memory storage for single-page applications

JWT Best Practices

• Keep tokens short-lived: Use appropriate expiration times (15-60 minutes)
• Implement refresh tokens: Use refresh token rotation for better security
• Use HTTPS: Always transmit JWTs over secure connections
• Don't store sensitive data: Remember that JWT payload is base64 encoded, not encrypted
• Validate all claims: Check issuer, audience, expiration, etc.
• Use strong algorithms: Prefer RS256 or ES256 over HS256 when possible
• Implement token revocation: Have a mechanism to invalidate tokens when needed
• Monitor token usage: Log and monitor for suspicious activity

Debugging Tools and Techniques

1. JWT Debugger Tools

Use online JWT debuggers to decode and inspect tokens during development. These tools help you:

• View header and payload contents
• Verify signatures with your secret
• Check token expiration
• Validate token structure

2. Browser DevTools

Use browser developer tools to inspect JWT tokens in:

• Network tab: View tokens in request/response headers
• Application tab: Check token storage (cookies, localStorage)
• Console: Decode tokens programmatically

3. Server-Side Validation

Always perform validation on the server side. Client-side validation is for UX only, never for security.

Try Our JWT Debugger

Debug and analyze JWT tokens with our free online tool: