{"id":28332798,"url":"https://github.com/dinochiesa/jwt-webtool","last_synced_at":"2025-10-30T13:38:44.313Z","repository":{"id":37535064,"uuid":"221107980","full_name":"DinoChiesa/jwt-webtool","owner":"DinoChiesa","description":"Source code repo for the online JWT webtool. ","archived":false,"fork":false,"pushed_at":"2024-12-16T18:18:39.000Z","size":7510,"stargazers_count":150,"open_issues_count":0,"forks_count":52,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-07-07T08:11:54.103Z","etag":null,"topics":["cryptography","encryption","jwt","rsa"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DinoChiesa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-12T02:00:34.000Z","updated_at":"2025-06-03T02:30:03.000Z","dependencies_parsed_at":"2024-04-09T00:28:00.859Z","dependency_job_id":"7e1cd906-9b00-4909-a4e9-de33ae9bb40f","html_url":"https://github.com/DinoChiesa/jwt-webtool","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/DinoChiesa/jwt-webtool","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinoChiesa%2Fjwt-webtool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinoChiesa%2Fjwt-webtool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinoChiesa%2Fjwt-webtool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinoChiesa%2Fjwt-webtool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DinoChiesa","download_url":"https://codeload.github.com/DinoChiesa/jwt-webtool/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinoChiesa%2Fjwt-webtool/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281816905,"owners_count":26566842,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-30T02:00:06.501Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","encryption","jwt","rsa"],"created_at":"2025-05-26T20:22:20.118Z","updated_at":"2025-10-30T13:38:44.307Z","avatar_url":"https://github.com/DinoChiesa.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JWT Web tool\n\nThis is the source code for a web tool that can decode JWT, verify signed JWT,\ndecrypt encrypted JWT, and create signed or encrypted JWT. It works nicely for\nlots of cases.  It also has a few limitations; details below.\n\n![screengrab](images/screenshot-20191115-083624.png)\n\n## License\n\nThis code is Copyright (c) 2019-2024 Google LLC, and is released under the Apache\nSource License v2.0. For information see the [LICENSE](LICENSE) file.\n\n## Purpose\n\nI built this as a tool that might be helpful to developers learning JWT, or\nexperimenting with ways to use JWT.  The output of this repo is currently\nrunning [here](https://dinochiesa.github.io/jwt/).\n\n## Disclaimer\n\nThis tool is not an official Google product, nor is it part of an official\nGoogle product.\n\n## Limitations\n\nThis tool has some limitations:\n - For signed JWT, the tool handles JWT that use ECDSA (ES256, ES384, ES512),\n   RSA (RS256, RS384, RS512, PS256, PS384, PS512) or HMAC algorithms (HS256,\n   HS384, HS512).\n\n - For encrypted JWT, specifically for key encryption, it handles JWT that use\n   RSA keys and RSA algorithms (RSA-OAEP, RSA-OAEP-256), JWT that use EC keys\n   and various ECDH algorithms (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A256KW) as well\n   as JWT that use the PBES2 algorithms. It does not currently support the \"dir\"\n   alg type. It supports all types of enc algorithms.\n\n - With either signed or encrypted JWT, this tool explicitly ignores crit headers.\n\n - This tool will not extract the certificate from an x5c header. Nor will it check\n   thumbprints of an x5t header.\n\n - This tool uses EcmaScript v9, and webcrypto, which means it will run only on\n   modern, current browsers.\n\n## Design\n\nThis is a single-page web app. It has no \"backend\" supporting it. All JWT\nsigning and verifying, or encrypting or decrypting, happens within the browser.\nAnything a user pastes into the UI never leaves the browser. It just needs a few\nstatic files.\n\nThere's a shortcut: if you open the url with \u003cbaseurl\u003e?JWT_HERE, it will decode *that* JWT.   It\nsaves you a step, pasting in your own JWT. If you're paranoid you can also use\nthe # as a separator.\n\nYou may want to fork this and bundle it into an intranet, to allow developers\nwithin a company to experiment with JWT. You can also run it from a file:// URL.\n\nFrom my perspective, there's no security issue with using the [publicly hosted\ntool](https://dinochiesa.github.io/jwt/), but your company's security auditors\nmay not agree..\n\n## Dependencies\n\nThe web app depends on\n* [Bootstrap 5.0](https://getbootstrap.com/docs/5.0) - for UI and styling\n* [node-jose](https://github.com/cisco/node-jose) - for JWT\n* [CodeMirror](https://codemirror.net/) - for the in-browser editors\n* [webcrypto](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API) - for generating RSA and ECDSA keys\n\n\n## Build Dependencies\n\nThis tool uses [webpack v5](https://webpack.js.org/) for bundling the assets.\n\n\n## Please send pull requests\n\nConstructive feedback is always appreciated.\nPR's will be appreciated.\n\n\n## Developing\n\nIf you fork this repo to mess with the code, here's what I advise.\n\nBefore you do anything you need to install the dependencies.\n\n```\nnpm install\n```\n\nTo build a \"development\" distribution:\n\n```\nnpm run devbuild\n```\n\nThis build will allow you to run the page and debug with the browser dev tools,\nand see the original source lines in your in-browser debugger. You can load the\npage via a file:/// url, and it will work just fine. For that, open a Chrome\nbrowser tab (or whatever browser you use) to\nfile:///path/to/dist/index.html .\n\nDuring development, I prefer to use the webpack \"watch\" capability, which\nrebuilds as I modify the source code. To do that, execute this in a terminal:\n\n```\nnpm run watch\n```\n\nThe above command will run \"forever\", and will rebundle when any source file\nchanges. When you save a file, wait a few seconds for the build, maybe 5\nseconds, and then just click the reload button in the browser tab, to see the\nupdates.\n\n\nTo build a production distribution:\n\n```\nnpm run build\n```\n\n## Warnings\n\nWhen you run `npm run build` or `npm run watch` you may see warnings, especiall\nwith regard to Bootstrap and its use of the deprecated `@import` rather than\n`@use`.  This is apparently benign. As of 2024 December 16, there is no\nworkarund to avoid this. The scss compilation tool is suggesting to move away\nfrom `@import` but there is no version of bootstrap that has converted, yet.\nWe'll resolve this warning in the future.\n\n\n## Acknowledgments\n\nThanks to \u003ca href='https://github.com/rdavydov'\u003e@rdavydov\u003c/a\u003e for suggesting and implementing the dark mode for this tool.\n\n## Bugs / Feature Gaps\n\n* For verification of signed JWT, or creation of encrypted JWT, it is not\n  possible to use an x509v3 certificate for the source of the public key. You\n  need to extract the public key yourself.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdinochiesa%2Fjwt-webtool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdinochiesa%2Fjwt-webtool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdinochiesa%2Fjwt-webtool/lists"}