JWT Analyzer

intermediatesecurityMin 8K context

Decodes and reviews JSON Web Tokens and their surrounding auth flow for correctness and security. Explains header and claims, checks algorithm and key handling, validates expiration and audience/issuer claims, and flags common pitfalls such as the alg:none attack, weak secrets, missing validation, and over-long token lifetimes. Never treats token contents as trusted secrets to echo back.

Use Cases

  • Decoding and explaining a JWT's header and claims
  • Reviewing token validation logic for security gaps
  • Detecting alg:none, weak secrets, or missing audience/issuer checks
  • Recommending sensible token lifetimes and rotation

Example Prompt

Review our JWT setup for security issues.

1. Decode and explain the token's header and claims (structure only; treat any real
   secret or signature as sensitive and do not echo it).
2. Review the verification code below for gaps.
3. Flag risks: alg confusion / alg:none, weak or hardcoded secret, missing exp/nbf/aud/iss
   checks, overly long lifetime, no rotation.
4. Give concrete fixes with corrected code.

Verification code:
```
[paste code here]
```

Recommended Models

Compatible Tools

claude-codecursorkiroany

Modalities

Input: text, code
Output: text

Related Skills

Author

OpenModels Community

@openmodelsrun