picoCTF Solutions

Tools / JWT Decoder

JWT Decoder

Paste a JWT token to instantly decode its three parts: the algorithm header, the claims payload, and the base64url-encoded signature. The token structure is color-coded so you can see exactly where each section begins and ends.

Paste a JWT token above to decode its header and payload.

JWTs in CTF web challenges

A JSON Web Token is a compact, URL-safe way to transmit claims between parties. It consists of three base64url-encoded parts separated by dots: header.payload.signature. The header specifies the signing algorithm (e.g. HS256), the payload carries the actual claims, and the signature verifies integrity.

Common CTF vulnerabilities involve JWTs:

  • Weak secret — if the HMAC secret is short or guessable, forge a new token with elevated privileges.
  • Algorithm confusion — changing alg from RS256 to HS256 and signing with the public key as the HMAC secret.
  • None algorithm — some libraries accept "alg": "none" and skip signature verification entirely.

Challenges solved with this tool: picoCTF 2023 -- Java Code Analysis!?!.