This is the source code for a web tool that can decode JWT, verify signed JWT, decrypt encrypted JWT, and create signed or encrypted JWT. It works nicely for lots of cases. It also has a few limitations; details below.

This code is Copyright (c) 2019-2021 Google LLC, and is released under the Apache Source License v2.0. For information see the LICENSE file.

I built this as a tool that might be helpful to developers learning JWT, or experimenting with ways to use JWT. The output of this repo is currently running here.

This tool is not an official Google product, nor is it part of an official Google product.

This tool has some limitations:

• For signed JWT, the tool handles JWT that use ECDSA (ES256, ES384, ES512), RSA (RS256, RS384, RS512, PS256, PS384, PS512) or HMAC algorithms (HS256, HS384, HS512).

• For encrypted JWT, specifically for key encryption, it handles JWT that use RSA keys and RSA algorithms (RSA-OAEP, RSA-OAEP-256), JWT that use EC keys and various ECDH algorithms (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A256KW) as well as JWT that use the PBES2 algorithms. It does not currently support the "dir" alg type. It supports all types of enc algorithms.

• In either case (signed or encrypted), this tool does not handle crit headers, nor will it extract the certificate from an x5c header. Nor will it check thumbprints of an x5t header.

• This tool uses EcmaScript v9, and webcrypto, which means it will run only on modern, current browsers.

This is a single-page web app. It has no "backend" supporting it. All JWT signing and verifying, or encrypting or decrypting, happens within the browser. Anything a user pastes into the UI never leaves the browser. It just needs a few static files.

There's a shortcut: if you open the url with ?JWT_HERE, it will decode that JWT. It saves you a step, pasting in your own JWT. If you're paranoid you can also use the # as a separator.

You may want to fork this and bundle it into an intranet, to allow developers within a company to experiment with JWT. You can also run it from a file:// URL.

From my perspective, there's no security issue with using the publicly hosted tool, but your company's security auditors may not agree..

The web app depends on

• jQuery - for interactivity
• Bootstrap 4.0 - for UI and styling
• node-jose - for JWT
• CodeMirror - for the in-browser editors
• webcrypto - for generating RSA and ECDSA keys

This tool uses webpack v4 for bundling the assets.

This is my first webpack project, so if anyone has some constructive feedback on my webpack config, how to improve or optimize it, please let me know. PR's will be appreciated.

For example, the JS bundle is about 1mb and the css bundle is 400kb. If there is a better way to optimize this, I am interested to learn.

If you fork this repo to mess with the code, here's what I advise.

To build a "development" distribution:

npm run devbuild

During development, I prefer to use the webpack "watch" capability, which rebuilds as I modify the source code. For that, open a Chrome browser tab to file:///path/to/dist/index.html . Then in a terminal,

npm run watch

The above command will run "forever", and will rebundle when any source file changes. When you save a file, wait a few seconds for the build, maybe 5 seconds, and then just click the reload button in the browser tab, to see the updates.

To build a production distribution:

npm run build

• The support for key-encryption algorithms is incomplete. Missing are: AES based key-wrapping algorithms, and direct keys.

• When using ECDH encryption, the tool always chooses the P-256 curve.

• It is not possible to use an x509v3 certificate for the source of the public key.