Instantly decode session data, verify signatures, and audit security flags to prevent unauthorized access.
Paste a session token or JWT for security analysis. Supports raw tokens, Base64, and hex-encoded strings.
Token content and security properties decoded entirely in your browser.
Conceptual calculation: The analyzer first detects the token format (JWT, Base64, Hex, or raw). For JWTs, it splits the token into three segments, decodes the header and payload from Base64URL, and parses the JSON. It then evaluates timestamp claims (iat, exp, nbf) against the current time. For signed tokens with a provided secret, it recomputes the HMAC signature and compares it byte-by-byte.
Key assumptions: The input is assumed to be a valid token string. JWTs are assumed to follow the standard three-segment structure. Timestamp claims are assumed to be Unix epoch seconds.
Limitations and edge cases: The analyzer cannot decode opaque session tokens that have no structured payload. RSA/ECDSA signature verification is not supported in the browser. Cookie attribute analysis requires the raw cookie header string, not just the value. The tool cannot assess token entropy or randomness quality.
Paste a session token or JWT into the input field, select the encoding type if known, and click "Analyze Token" to begin. The tool will attempt to decode the token and present its security properties.
For JWT signature verification, select the expected algorithm and enter the secret key. For cookie header analysis, paste the full Set-Cookie header string.
The analyzer uses pattern recognition to identify the token format. JWTs are split into their three segments and Base64URL-decoded. The header and payload are parsed as JSON. Timestamp claims are compared against the current time to determine expiration status. If a secret is provided, the HMAC signature is recomputed and compared.
Token type detection identifies whether the input is a JWT or an opaque session token. Timestamp analysis shows whether the token is expired, valid, or not-yet-active. Signature verification confirms the token was signed with the provided key. Cookie attributes are assessed against security best practices.
This tool provides debugging information for session tokens and JWTs. It cannot guarantee the security of your authentication system. The presence of a valid signature only confirms the token was signed with the provided key; it does not validate the token's fitness for a particular purpose.
Session tokens and JWTs are central to modern web authentication, but improper implementation can expose applications to serious vulnerabilities. Understanding the security properties of tokens is essential for building secure systems.
Opaque tokens are identifiers that reference server-side session state. The server maintains a session store that maps the token to user data. JWTs are self-contained: they carry their payload (claims) directly, allowing stateless authentication without server-side session storage.
Opaque tokens provide better privacy for sensitive data since nothing is stored in the token itself. JWTs are more scalable since no session lookup is required, but any data in the payload is visible to anyone who decodes it.
Session tokens are high-value targets for attackers. Understanding common vulnerabilities helps prevent exploitation.
If session IDs can be predicted, attackers can hijack sessions by generating valid IDs. Tokens should be generated using cryptographically secure random number generators with sufficient entropy. This analyzer cannot assess token randomness, but tools like entropy calculators can help evaluate token generation quality.
Tokens in URLs can be leaked through browser history, server logs, referrer headers, and browser extensions. Sensitive tokens should be transmitted via cookies with appropriate security flags, not as URL parameters. This analyzer will flag any token that appears to be a JWT, as these are commonly mishandled.
Unsigned JWTs (algorithm "none") or tokens signed with weak keys can be forged by attackers. Always verify signatures using strong algorithms like HS256 or RS256. An attacker who obtains a token can modify its payload if the signature cannot be verified.
When session tokens are stored in cookies, specific attributes control their security properties.
| Attribute | Purpose | Security Impact |
|---|---|---|
| HttpOnly | Prevents JavaScript access | Mitigates XSS-based token theft |
| Secure | Requires HTTPS | Prevents token interception in transit |
| SameSite | Controls cross-site requests | Mitigates CSRF attacks |
| Path | Cookie scope limitation | Limits exposure to specific application paths |
| Domain | Cross-subdomain sharing | Misconfiguration can leak cookies to subdomains |
JWTs offer flexibility but require careful implementation to maintain security.
HS256 (HMAC with SHA-256) is suitable when the same server both creates and validates tokens. RS256 (RSA with SHA-256) is preferred when different services need to validate tokens without sharing a secret. Always validate the algorithm field and reject unexpected algorithms.
JWTs should have short expiration times (minutes to hours). Implement refresh token rotation to detect token theft through reuse detection. When a refresh token is used, issue a new pair and invalidate the old refresh token.
JWT payloads are Base64-encoded, not encrypted. Anyone can decode a JWT to read its contents. Never include sensitive data like passwords or financial information in the payload. Assume the payload is visible to anyone who sees the token.
Proper session lifecycle management reduces the window of opportunity for attacks.
Idle session timeouts should be aggressive enough to limit exposure but lenient enough not to frustrate users. Absolute session lifetimes prevent indefinite session extension even with regular activity. Server-side session invalidation enables immediate revocation when users log out or when suspicious activity is detected.
Use this tool only for debugging and testing with non-production tokens. Never paste actual production session tokens from live systems into online tools. Analyze tokens locally or in an isolated environment when possible.
An opaque token is a random identifier that maps to server-side session data. A JWT is self-contained with claims encoded in the token itself. Opaque tokens hide their contents; JWT payloads are visible to anyone who Base64-decodes them.
Indicators of vulnerability include: predictable or sequential token generation, missing Secure and HttpOnly cookie flags, tokens in URLs, missing SameSite attribute, and long session timeouts without activity monitoring.
Invalid signature means the signature attached to the JWT does not match what the tool computed using the provided secret. This could indicate tampering or using the wrong secret key.
HttpOnly prevents JavaScript from accessing the cookie, blocking XSS attacks from stealing tokens. Secure ensures cookies are only transmitted over HTTPS, preventing man-in-the-middle interception.
No. This tool only handles signed JWTs (JWS). Encrypted JWTs (JWE) require decryption keys that this tool does not support. JWE tokens start with "eyJ" but have additional payload structure.
Decode and inspect JWT tokens to verify payloads, headers, and signature status.
Create and sign custom JSON Web Tokens for API authentication testing.
Encode and decode Base64 and Base64URL strings for data manipulation.
Analyze cookie attributes for security best practices compliance.
Validate CSRF token generation and validation implementation.
Visualize OAuth 2.0 authentication flows with sequence diagrams.
Calculate token randomness quality for security assessment.
Create strong, random passwords with customizable parameters.