JSON Web Tokens (JWTs) are everywhere โ API authentication, single sign-on, session management. But most developers never look inside them. That is a mistake. A misconfigured JWT can give an attacker full access to any account, bypass signature verification entirely, or escalate privileges with a single header change.
This guide explains what a JWT is, how to decode it, and what security claims to inspect. You will learn to spot the misconfigurations that matter โ using the JWT Decoder from SecuriTool, all client-side.
Open the JWT Decoder in another tab while you read:
JWT Decoder โA JWT is a compact, URL-safe token format defined in RFC 7519. It carries claims (statements) about an entity โ typically a user โ and is signed so the recipient can verify it was issued by a trusted source.
A JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Three Base64-encoded parts separated by dots:
| Part | Contains | Example Content |
|---|---|---|
| Header | Algorithm and token type | {"alg":"HS256","typ":"JWT"} |
| Payload | Claims (user data, permissions, timestamps) | {"sub":"1234567890","admin":true} |
| Signature | Cryptographic verification | HMAC-SHA256(header + payload, secret) |
JWTs are only as secure as their configuration. The most common vulnerabilities come from the header and payload claims โ not from broken cryptography. Security researchers look for:
| Claim | Risk if Misconfigured | Impact |
|---|---|---|
alg | none bypasses signature verification entirely | Full authentication bypass |
kid | Path injection or SQL injection via key ID | Code execution, data leak |
jwk / jku | Attacker supplies their own signing key | Token forgery |
exp | Missing expiration = token valid forever | Permanent session hijack |
iss / aud | Missing validation = cross-tenant token reuse | Account takeover across tenants |
role / admin | Server trusts client-provided privilege claims | Privilege escalation |
Authorization: Bearer header, cookie, or URL parameter.Everything happens client-side. No token data leaves your browser.
alg claimThe algorithm claim tells the server how to verify the token. This is the most attacked JWT field.
{
"alg": "HS256",
"typ": "JWT"
}
Red flags:
alg: "none" โ Signature verification completely disabled. The server accepts any token without checking the signature. This is the most critical JWT vulnerability.alg: "HS256" with a public key in jwk โ Algorithm confusion. The server expects RSA but the attacker signs with HMAC using the public key as the secret.alg switches between RSA and HMAC across different endpoints โ inconsistent verification.kid claimKey ID tells the server which key to use for verification. It is often used as a file path or database lookup.
{
"alg": "RS256",
"kid": "key-2024"
}
Red flags:
"kid": "../../dev/null" โ trick the server into using /dev/null (empty key) for verification."kid": "key' OR '1'='1" โ manipulate the key lookup query."kid": "|ls -la" โ if the server passes kid to a shell command.jwk and jku claimsThese claims tell the server where to find the signing key. An attacker can point them to their own key server.
{
"alg": "RS256",
"jku": "https://attacker.com/keys.json"
}
Attack: The server fetches the attacker's public key and uses it to verify the attacker's token โ which was signed with the attacker's private key.
exp){
"sub": "user123",
"iat": 1516239022
}
If there is no exp claim, the token never expires. An attacker who steals it has permanent access.
{
"sub": "user123",
"name": "John Doe"
}
Without iss (issuer) and aud (audience), a token issued by Service A can be used to access Service B. This is critical in microservice architectures.
{
"sub": "user123",
"admin": true,
"role": "superadmin"
}
If the server trusts these client-provided claims without checking its own database, an attacker can modify the payload and escalate privileges.
| Attack | How It Works | Detection |
|---|---|---|
| alg:none | Remove signature, set alg: "none" | Server accepts unsigned tokens |
| Key confusion | Use RSA public key as HMAC secret | Algorithm switches between RSA and HMAC |
| Kid injection | Path traversal in kid parameter | Test ../../etc/passwd |
| Weak secret | Brute-force HMAC secret with wordlists | Common passwords like secret, password |
| JKU redirect | Point jku to attacker-controlled URL | Server fetches external key |
Decode this token:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
Header: {"alg":"none","typ":"JWT"} โ the none algorithm means no signature verification.
Payload: {"sub":"1234567890","name":"John Doe","admin":true} โ admin flag set to true.
Signature: Empty string after the second dot.
Verdict: This token bypasses all authentication. Any server that does not explicitly reject alg: none will accept it as valid.
alg: none, you can only find out by testing against the actual API.JWT security is not about broken cryptography โ it is about misconfigured claims. A single missing exp or a permissive alg: none can compromise an entire authentication system.
By decoding every JWT you encounter and checking the critical claims, you can spot vulnerabilities that most developers miss.
Try it with your own tokens:
Decode any JWT:
JWT Decoder โTest for attacks (alg:none, kid injection, secret cracking):
JWT Attacker โPublished May 31, 2026 ยท Practical Guide ยท SecuriTool