from Hacker News

Show HN: Jwt.is – JSON Web Token Debugger

by mhamann on 11/9/23, 2:31 PM with 23 comments

The team at Rownd is excited to announce https://jwt.is, an updated take on JSON Web Token debugging.

Like most developers, we've used jwt.io for years, but it lacks a number of useful features that would make it even more convenient. We're building on the shoulders of those who've come before us. :-)

In addition to the basic JWT decoding and signature verification, we've added things like: - Verification using JWK endpoints - Locally stored history of tokens and keys - Verification for EdDSA signatures - Detection of common token providers (e.g., Google, Apple, etc) - Dark mode!

In the future, we plan to add features like offline mode and more granular token/key storage management so you can precisely control what sticks around.

Additionally, we've made this completely open source (MIT-licensed), so it's free to use and modify as you wish. And of course, contributions are always welcomed!

Let us know what you think!

  • by eternityforest on 11/10/23, 9:34 AM

    I think it's great, having known good, easy to use tools for common tech is great.

    But the ChatGPT button seems highly unnecessary. It doesn't seem to do anything a madlibs style fill in the blank template couldn't do in milliseconds.

  • by mbrameld on 11/9/23, 6:58 PM

    Looks a lot like https://jwt.io/

  • by jamietanna on 11/10/23, 10:49 AM

    Might be worth having a clearer "don't put production credentials into random websites" warning (previous discussion: https://news.ycombinator.com/item?id=24352360)

  • by IceDane on 11/9/23, 11:03 PM

    I'm sorry.. but is this for real?

    This is like an afternoon of work, and it's more or less a carbon copy of the existing tools. No one will care about any of the features you are describing. How much time do you think people spend on debugging JWTs?

    Then you also went and added AI integration of all things. This lets me wait 10 seconds to let GPT tell the definitions for each part of the JWT, which don't change. You could have just replaced it with a map from the claims to their purpose as defined by the RFC(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). Not to mention how unfathomably silly it is to talk about security and whatnot and then just send people's JWTs off to some third party.

  • by jamietanna on 11/10/23, 10:50 AM

    Out of interest, could jwt.io not be amended to do the same things? Last I saw it was Open Source, too. Or was there something you thought/were told wouldn't be accepted?

  • by tentacleuno on 11/10/23, 12:06 PM

    Hm, I don't think this is working. The JavaScript throws a "Uncaught (in promise) be: Failed to base64url decode the signature" error, but the website says the signature is verified.

    Furthermore, if you enter the wrong key (just made a key on jwt.io, copied it into here, and entered the wrong key), it still says the signature is verified.

  • by physicsguy on 11/10/23, 9:46 AM

    Looks nice, but pretty printing the output of the JSON is a must.

    I do like how you can paste the JWK URL for validation, not seen that elsewhere.

  • by adriaanb on 11/10/23, 9:51 AM

    Thanks for this. Bookmarked!