Show HN: Jwt.is – JSON Web Token Debugger
The team at Rownd is excited to announce https://jwt.is, an updated take on JSON Web Token debugging.
Like most developers, we've used jwt.io for years, but it lacks a number of useful features that would make it even more convenient. We're building on the shoulders of those who've come before us. :-)
In addition to the basic JWT decoding and signature verification, we've added things like: - Verification using JWK endpoints - Locally stored history of tokens and keys - Verification for EdDSA signatures - Detection of common token providers (e.g., Google, Apple, etc) - Dark mode!
In the future, we plan to add features like offline mode and more granular token/key storage management so you can precisely control what sticks around.
Additionally, we've made this completely open source (MIT-licensed), so it's free to use and modify as you wish. And of course, contributions are always welcomed!
Let us know what you think! I think it's great, having known good, easy to use tools for common tech is great. But the ChatGPT button seems highly unnecessary. It doesn't seem to do anything a madlibs style fill in the blank template couldn't do in milliseconds. Thanks! Yeah, the GPT stuff was just a fun easter egg. :-D Looks a lot like https://jwt.io/ also https://jwt.ms (fully client side, hosted by Microsoft) https://jwt.is is also fully client-side Also https://token.dev which supports JWT and PASETO tokens Off Topic: what is the adoption of PASETO like? I haven't seen any major move towards the standard and most everyone still using JWT I wonder this as well. I've never come across a real-world implementation of PASTEO. Might be worth having a clearer "don't put production credentials into random websites" warning (previous discussion: https://news.ycombinator.com/item?id=24352360) Hey thanks for the feedback! We added a note under the encoded section to address this - do you think that helps? I'm sorry.. but is this for real? This is like an afternoon of work, and it's more or less a carbon copy of the existing tools. No one will care about any of the features you are describing. How much time do you think people spend on debugging JWTs? Then you also went and added AI integration of all things. This lets me wait 10 seconds to let GPT tell the definitions for each part of the JWT, which don't change. You could have just replaced it with a map from the claims to their purpose as defined by the RFC(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). Not to mention how unfathomably silly it is to talk about security and whatnot and then just send people's JWTs off to some third party. > This lets me wait 10 seconds to let GPT tell the definitions for each part of the JWT, which don't change. Yeah, that's lost on me. Why not embed it as a string? Seems quite lazy, as the current solution would presumably eat up all their OpenGPT credits. That, and I would have preferred an explainer from someone who understands JWT. Another obvious disadvantage of using AI is that the response can change over time, so it has the potential to hallucinate. > This is like an afternoon of work, and it's more or less a carbon copy of the existing tools. No one will care about any of the features you are describing. How much time do you think people spend on debugging JWTs? This seems a bit dismissive, though. Let's see how many people use it before making broad judgements like that. It comes across as rude and unnecessary. It's definitely more than an afternoon of work, though I can understand how you might think that. Things are often harder and more complex than we realize at first. :-) One of the biggest gaps with the current implementation is lack of support for JWKs. We wanted to support that. Also, dark mode. It's the little things. For the record, no tokens are ever sent anywhere. Everything stays local to the browser. If you hit the "GPT" button, it just transmits the payload--nothing else. That part is definitely a fun experiment. It's more "useful" with more complex payloads. But it may not stick around long-term. We'll see. The website was probably created as a subtle way to promote their startup. > The website was probably created as a subtle way to promote their startup. Seems fair, TBH. The AI recommends "Rownd", which it has clearly been programmed to do. > Solutions like Rownd can assist by simplifying and securing JWT management, ensuring that developers can focus on building their applications with increased efficiency and security. Auth0/Okta uses jwt.io to promote themselves, so why shouldn't we do the same? ;-) But this was also more about scratching an itch that we had internally where similar tools didn't support all of the features we wanted them to. So, we wrote our own. Thanks for checking it out! Out of interest, could jwt.io not be amended to do the same things? Last I saw it was Open Source, too. Or was there something you thought/were told wouldn't be accepted? Yes, it certainly could be; however, it would be up to the maintainers of that project whether to accept contributions. "Competition" is good for everyone though. Maybe they'll adopt some of our ideas. :-D Hm, I don't think this is working. The JavaScript throws a "Uncaught (in promise) be: Failed to base64url decode the signature" error, but the website says the signature is verified. Furthermore, if you enter the wrong key (just made a key on jwt.io, copied it into here, and entered the wrong key), it still says the signature is verified. Sorry about that--always a few bugs in the first rev. It's working now! Looks nice, but pretty printing the output of the JSON is a must. I do like how you can paste the JWK URL for validation, not seen that elsewhere. Thanks! We have a few improvements to make around copy/paste stuff, array printing, etc. Thanks for the feedback! Thanks for this. Bookmarked!