This is the source code for a web tool that can decode JWT, verify signed JWT, decrypt encrypted JWT, and create signed or encrypted JWT. It works nicely for lots of cases. It also has a few limitations; details below.
This code is Copyright (c) 2019-2024 Google LLC, and is released under the Apache Source License v2.0. For information see the LICENSE file.
I built this as a tool that might be helpful to developers learning JWT, or experimenting with ways to use JWT. The output of this repo is currently running here.
This tool is not an official Google product, nor is it part of an official Google product.
This tool has some limitations:
-
For signed JWT, the tool handles JWT that use ECDSA (ES256, ES384, ES512), RSA (RS256, RS384, RS512, PS256, PS384, PS512) or HMAC algorithms (HS256, HS384, HS512).
-
For encrypted JWT, specifically for key encryption, it handles JWT that use RSA keys and RSA algorithms (RSA-OAEP, RSA-OAEP-256), JWT that use EC keys and various ECDH algorithms (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A256KW) as well as JWT that use the PBES2 algorithms. It does not currently support the "dir" alg type. It supports all types of enc algorithms.
-
In either case (signed or encrypted), this tool does not handle crit headers, nor will it extract the certificate from an x5c header. Nor will it check thumbprints of an x5t header.
-
This tool uses EcmaScript v9, and webcrypto, which means it will run only on modern, current browsers.
This is a single-page web app. It has no "backend" supporting it. All JWT signing and verifying, or encrypting or decrypting, happens within the browser. Anything a user pastes into the UI never leaves the browser. It just needs a few static files.
There's a shortcut: if you open the url with ?JWT_HERE, it will decode that JWT. It saves you a step, pasting in your own JWT. If you're paranoid you can also use the # as a separator.
You may want to fork this and bundle it into an intranet, to allow developers within a company to experiment with JWT. You can also run it from a file:// URL.
From my perspective, there's no security issue with using the publicly hosted tool, but your company's security auditors may not agree..
The web app depends on
- Bootstrap 5.0 - for UI and styling
- node-jose - for JWT
- CodeMirror - for the in-browser editors
- webcrypto - for generating RSA and ECDSA keys
This tool uses webpack v5 for bundling the assets.
Constructive feedback is always appreciated. PR's will be appreciated.
If you fork this repo to mess with the code, here's what I advise.
Before you do anything you need to install the dependencies.
npm install
To build a "development" distribution:
npm run devbuild
This build will allow you to run the page and debug with the browser dev tools, and see the original source lines in your in-browser debugger. You can load the page via a file:/// url, and it will work just fine. For that, open a Chrome browser tab (or whatever browser you use) to file:///path/to/dist/index.html .
During development, I prefer to use the webpack "watch" capability, which rebuilds as I modify the source code. To do that, execute this in a terminal:
npm run watch
The above command will run "forever", and will rebundle when any source file changes. When you save a file, wait a few seconds for the build, maybe 5 seconds, and then just click the reload button in the browser tab, to see the updates.
To build a production distribution:
npm run build
- For verification of signed JWT, or creation of encrypted JWT, it is not possible to use an x509v3 certificate for the source of the public key. You need to extract the public key yourself.