The team at Rownd is excited to announce <a href="https://jwt.is" rel="nofollow noreferrer">https://jwt.is</a>, an updated take on JSON Web Token debugging.<p>Like most developers, we've used jwt.io for years, but it lacks a number of useful features that would make it even more convenient. We're building on the shoulders of those who've come before us. :-)<p>In addition to the basic JWT decoding and signature verification, we've added things like:
- Verification using JWK endpoints
- Locally stored history of tokens and keys
- Verification for EdDSA signatures
- Detection of common token providers (e.g., Google, Apple, etc)
- Dark mode!<p>In the future, we plan to add features like offline mode and more granular token/key storage management so you can precisely control what sticks around.<p>Additionally, we've made this completely open source (MIT-licensed), so it's free to use and modify as you wish. And of course, contributions are always welcomed!<p>Let us know what you think!
I think it's great, having known good, easy to use tools for common tech is great.<p>But the ChatGPT button seems highly unnecessary. It doesn't seem to do anything a madlibs style fill in the blank template couldn't do in milliseconds.
Might be worth having a clearer "don't put production credentials into random websites" warning (previous discussion: <a href="https://news.ycombinator.com/item?id=24352360">https://news.ycombinator.com/item?id=24352360</a>)
I'm sorry.. but is this for real?<p>This is like an afternoon of work, and it's more or less a carbon copy of the existing tools. No one will care about any of the features you are describing. How much time do you think people spend on debugging JWTs?<p>Then you also went and added AI integration of all things. This lets me wait 10 seconds to let GPT tell the definitions for each part of the JWT, which <i>don't change</i>. You could have just replaced it with a map from the claims to their purpose as defined by the RFC(<a href="https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3" rel="nofollow noreferrer">https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3</a>). Not to mention how unfathomably silly it is to talk about security and whatnot and then just send people's JWTs off to some third party.
Out of interest, could jwt.io not be amended to do the same things? Last I saw it was Open Source, too. Or was there something you thought/were told wouldn't be accepted?
Hm, I don't think this is working. The JavaScript throws a "Uncaught (in promise) be: Failed to base64url decode the signature" error, but the website says the signature is verified.<p>Furthermore, if you enter the <i>wrong</i> key (just made a key on jwt.io, copied it into here, and entered the wrong key), it still says the signature is verified.