BugCircuit JWT Inspector
Decode any JWT offline, read every claim in plain time, and lint it for the security smells that get tokens forged.
BugCircuit JWT Inspector turns the opaque eyJ... blob in your logs, headers, and config files into something you can actually read and reason about. Paste a token and it decodes the header and payload, pretty-prints every claim, and translates the cryptic exp, iat, and nbf epoch numbers into plain UTC timestamps and human phrases like "expired 3 minutes ago" or "valid for another 14 days." No more copy-pasting production tokens into random websites just to see what's inside.
Beyond decoding, it acts as a defensive linter. It flags the exact issues that lead to real-world token forgery and account takeover: alg=none unsigned tokens, missing or non-string algorithms, algorithm-confusion risk, missing expiry, expired and not-yet-valid tokens, tokens with dangerously long lifetimes, sensitive data accidentally placed in a payload that is only encoded (not encrypted), and HMAC tokens signed with a well-known placeholder secret like secret or changeme. Each finding comes with a severity and a short, practical explanation of why it matters and how to fix it. With --secret you can verify the HS256/384/512 signature of a token you issued, straight from the command line.
The tool is a single Python 3 file with zero dependencies — download it and run it. It is cross-platform (Windows, macOS, Linux), colorizes output only on a real terminal, offers a --json mode for CI pipelines, and uses meaningful exit codes so you can fail a build when a token carries a serious finding. It is strictly passive, offline, and defensive: it never touches the network, never brute-forces third-party secrets, and the weak-secret check runs against a tiny fixed list purely so you can audit your own careless defaults. A free, brand-quality utility from Bug Circuit.
How to use
- Install Python 3.8 or newer (it is preinstalled on most macOS and Linux systems).
- Download bugcircuit-jwt.py — no pip install, no dependencies.
- Run: python3 bugcircuit-jwt.py <YOUR_TOKEN> (a leading 'Bearer ' is stripped automatically).
- Or pipe it in: echo "$TOKEN" | python3 bugcircuit-jwt.py --stdin, or read a file with --file token.txt.
- Read the decoded header, payload, human-readable time claims, and the severity-ranked security findings.
- Optionally verify your own token's signature with --secret 'your-key', or emit --json for CI and gate on the exit code.
Example commands
python3 bugcircuit-jwt.py eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.abc123
echo "$MY_JWT" | python3 bugcircuit-jwt.py --stdin
python3 bugcircuit-jwt.py --file token.txt
python3 bugcircuit-jwt.py --secret 'my-hs256-signing-key' "$MY_JWT"
python3 bugcircuit-jwt.py --json "$MY_JWT" > jwt-report.jsonFree · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Downloads are free. You’ll sign in to a free store account (any email — takes 10 seconds) so you can re-download any time from your account.
Something not right with your order? Email [email protected] — the same team that runs our security audits makes it right.