stormpath / jsonwebtoken.io Goto Github PK

It would be nice to have an example JWT available on the site, so someone can quickly see what it looks like.

Steps to reproduce:

1. Go to http://jsonwebtoken.io
2. Paste this JWT:

eyJraWQiOiI0VlBWTEI2SzQ0UllTS1JSVkFCNFRFQk9YIiwic3R0IjoiYWNjZXNzIiwiYWxnIjoiSFMyNTYifQ.eyJqdGkiOiIyUXd0WmVQNlhRVnRzOVVqdEhnbk1XIiwiaWF0IjoxNDY5MDQwODM2LCJpc3MiOiJodHRwczovL2FwaS5zdG9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy83T2wzNzdIVTA2OGxhZ0NZazdVOVhTIiwic3ViIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hY2NvdW50cy81TXdMZWFpd3dSaEZUcXl3aTRvU0xRIiwiZXhwIjoxNDY5MDQ0NDM2LCJydGkiOiIyUXd0WmI1MWNxQ3ZGS09zaDFwV2tTIn0.dIGVPO0RlXDvfAXyuH6wshGQA1YUTwDDa9rK8H-p02I

1. Notice the header has 4 elements, and the exp claim is 1469044436
2. Click outside of the JWT String text box
3. The header now has only 2 elements, and the exp has been updated

I should be able to land with a URL like this:

https://www.jsonwebtoken.io/#jwt=

And have the decoded JWT shown to me

Decoding the Unix timestamps in the comments is a great touch! It'd be nice if it also rendered human durations, like:

  "iat": 1463530023,  // Tue May 17 2016 17:07:04 GMT-0700 (PDT)  [now]
  "nbf": 1463530023,  // Tue May 17 2016 17:07:03 GMT-0700 (PDT)  [now] 
  "exp": 1463530323,  // Tue May 17 2016 17:12:03 GMT-0700 (PDT)  [in 5 minutes]

When we have custom "Header" keys, the auto-generated code for firebase/php-jwt does not accomodate for it.

It should add something like:

$keyId = null;

$header = array(
    "alg" => "RS256",
    "typ" => "JWT",
    "x5t" => "somecustomstring"
);
...
$jwt = JWT::encode($payload, $privateKey, 'RS256', $keyId, $header);
...

In my case I need to add custom header with key "x5t" that contain certificate thumbprint (Microsoft/Azure token stuff)

Likewise, I don't see it specifying encoding algorithm, so it will drop to whatever is the default (HS256).

php-jwt function declaration:
public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $head = null)

Some kind of (very unobtrusive) coloring or other highlighting would be nice so it's possible to visually tell the 2 (or 3) segments of a JWT apart from each other.

http://s3.amazonaws.com/www.jsonwebtoken.io/index.html

Hello

The documentation is not very clear when it comes to my understanding of the following.

Consider a JWT token is created in nodejs:

token() {
const payload= {
exp: moment()
.add(jwtExpirationInterval, "minutes")
.unix(),
iat: moment().unix(),
sub: this._id
};
return nJwt.create(playload, jwtSecret,"HS256").compact();
},

Now, without the "jwtSecret", I am able to see the "payload";

So, there is something wrong in my encoding, right? OR Is the secret key used ONLY to verify the payload?

many thanks

Just using your website I noticed you send that to your backend. Is it really necessary?

Hello, for creating the new token, it would be nice that the online version provide a secret base64 encoded checkbox like https://jwt.io has. I wanted to create a double signed token quickly online, but found this limitation in the web version. :)

Thanks for your effort! 🎉

We generally use the term "JWT" to encompass JWT and JWS. It would be helpful for the UI to show some indication:

This looks like a JWS

Especially when we support JWEs as well.

On of the things I like about java.jsonwebtoken.io is that it generates a key for the HS algorithm variants. And, the key it generates is always a base64 encoded binary byte array that's the max-width the given algorithm supports.

For instance, if you change the algorithm from HS256 to HS512, you'll notice a much longer key is generated.

It'd be nice to have this - as an option at least - for jsonwebtoken.io.

Most examples on the web use secret for the secret which, while human readable, is an anti-pattern that we shouldn't propagate.

I'm trying to decode a jwt token using this command on my Laravel application:
$decoded = JWT::decode($access_token, $my_secret, array('HS256'));

but I'm having this message error all the time:
UnexpectedValueException: Algorithm not allowed in file C:\myserver\vendor\fproject\php-jwt\src\JWT.php.

When I use the same token on site jwt.io, the token is correctlly decoded. I'm doing everything based on documents on your site.

Any ideas about what is happenning here?

If I paste this JWT into the site:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJURVNUIiwianRpIjoiZjU4NDhiMDMtNWE0Zi00OGEzLTliN2UtNzgzNTk0ZWM0NmQ2IiwiaWF0IjoxNDY0MDQ0NzIzLCJuYmYiOjE0NjQwNDQ3MjMsImV4cCI6MTQ2NDA0NTAyMywiaXNzIjoiRXhhbXBsZUlzc3VlciIsImF1ZCI6IkV4YW1wbGVBdWRpZW5jZSJ9.x71rScjuEBI1Q1gkLjh1wpaApnz2_m6OoAvOCLuqn0o

The signature panel will always say "Verified", even if I type garbage into the text box. The actual signing key is "mysupersecret_secretkey!123".

Istio requires a JWKS to verify a JWT. Can a feature be added where this is generated for us somehow?

If I paste the following JWT into the tool:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxYjFaMTdLa0xBV09UTUg4cXA2aU1SIiwiaWF0IjoxNDcyNjY0NDU0LCJpc3MiOiJodHRwczovL2FwaS5zdG9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy83T2wzNzdIVTA2OGxhZ0NZazdVOVhTIiwic3ViIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hY2NvdW50cy80cVRYMlF5UlZoT05kNWVRcDdoVFEwIiwiZXhwIjoxNDcyNjgxNDkwLCJydGkiOiI0NmZBSE90N1laNUVvOFIyMzVQa0YifQ.hLjNfYpf3sQ1rD-Kc9Y0yaEK3TNDq6ohDvEcamM6e7Y

Which as a header like:

{
 "typ": "JWT",
 "alg": "HS256",
 "kid": "4VPVLB6K44RYSKRRVAB4TEBOX",
 "stt": "access"
}

and then edit the payload, the header is rewritten as

{
  "typ": "JWT",
  "alg": "HS256"
}

the link named "JJWT Changelog" on this page: https://www.jsonwebtoken.io/ links to https://www.jsonwebtoken.io/CHANGELOG.md which isn't there.

I frequently copy and paste cookies, and my network sniffer tool copies them in the format name=value. It'd be nice to support parsing things like this automatically:

access_token=eyJrablahblahblah...

HS512 algorithm always fails because the algorithm resets to 256 when the browser window loses focus.

Chrome Version 57.0.2987.133 (64-bit) on Mac OS Sierra 10.12.4 (16E195)

Addons: keepa, postman, ublock origin, tab resize

while encrypting my text using RS256, RS384, RS512, ES256, ES384, ES512 then i got above error.

var jwt=nJwt.create(data,'secret',"ES384")
var token=jwt.compact(); //got error in this line
can someone help me please?