jwt-decoder_skill

This skill enables decoding, verifying, and generating JWTs across algorithms, helping you secure tokens and streamline authentication workflows.
  • TypeScript

72

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill aidotnet/moyucode --skill jwt-decoder

  • SKILL.md861 B

Overview

This skill decodes, verifies, and generates JWT (JSON Web Tokens) with support for common algorithms like HS256 and RS256. It provides quick token inspection, signature verification against secrets or keys, and token creation from JSON payloads. Designed for developers and security engineers needing a lightweight token tool.

How this skill works

The skill accepts raw JWT strings and splits header, payload, and signature for readable decoding without altering the token. For verification, it checks the signature using the provided secret or public key and validates standard claims (exp, nbf, iat) when present. It can also generate new tokens from a JSON payload and sign them with a chosen algorithm and key.

When to use it

  • Inspect an unfamiliar JWT to view header and payload claims.
  • Validate a token’s signature and expiration before granting access.
  • Create test tokens for development or integration testing.
  • Quickly debug authentication issues by comparing decoded values with expected claims.
  • Convert between algorithm types or re-sign tokens with a different key.

Best practices

  • Always verify signatures and claim validity (exp, nbf, aud, iss) before trusting token contents.
  • Use RS256 (asymmetric) for production where possible; keep private keys secure and rotate regularly.
  • Never decode only for security decisions—decoding is unauthenticated; always run verification when authenticity matters.
  • Keep secrets and private keys out of source code and CI logs; use environment variables or secret stores.
  • Limit token lifetime and include audience/issuer claims for stricter validation.

Example use cases

  • Decode a token to inspect user id, roles, and expiration in a bug report.
  • Verify incoming API tokens with the configured secret or public key before processing requests.
  • Generate short-lived JWTs for local integration tests or service-to-service mockups.
  • Re-sign tokens with RS256 for migration from HS256 and test compatibility.
  • Check token claim structure when implementing new authentication middleware.

FAQ

Yes. Provide the appropriate public key for verification; private keys are used only for signing when generating tokens.

Does decoding validate the token automatically?

No. Decoding only shows header and payload. Perform verification with a secret or key to confirm authenticity and claim validity.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational