Jwt Validate

183 installs5 stars

Summary

This validates JWTs by checking structure, claims, and signatures in that order, stopping at the first failure. It handles HMAC, RSA, and ECDSA using secrets, PEM keys, or JWKS endpoints. The skill is paranoid about security in the right ways: it never trusts the token's alg header to prevent algorithm confusion attacks, always uses explicit algorithm allowlists, and passes secrets through environment variables instead of command line args to avoid shell history exposure. It gives you a clear pass/fail report with specifics like expiration times and which check failed. If you don't provide a key, it validates structure and claims but explicitly tells you the signature wasn't verified.

Install to Claude Code

npx -y skills add jsonwebtoken/jwt-skills --skill jwt-validate --agent claude-code

Installs into .claude/skills of the current project.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Files

SKILL.md

JWT Validate

Verify a JWT's signature and validate its claims. Confirms the token is authentic, unexpired, and structurally sound.

Validation Order

Check in this order. Stop and report at the first failure.

1. Structure

Exactly 3 dot-separated parts, each valid base64url
Header and payload parse as valid JSON
Header contains alg; alg is not none (unless explicitly expected)

2. Claims

exp must be in the future (report time until expiry or how long ago it expired)
nbf must be in the past or present
iat must be in the past; flag if > 30 days old
iss, aud, sub — if user provides expected values, they must match
Allow 60 seconds clock skew tolerance on all time checks

3. Signature

Requires the user to provide a secret, PEM public key, or JWKS URI. Always pass secrets and tokens via inline env vars to avoid shell history exposure.

Node.js (preferred):

First, ensure jose is available — install it globally if missing:

node --input-type=module -e "await import('jose')" 2>/dev/null || npm install -g jose

Then verify the token:

JWT_TOKEN='the.jwt.here' JWT_SECRET='user-provided-secret' node --input-type=module -e "import {jwtVerify} from 'jose'; try { const {payload}=await jwtVerify(process.env.JWT_TOKEN, new TextEncoder().encode(process.env.JWT_SECRET), {algorithms:['HS256'],clockTolerance:60}); console.log('VALID'); console.log(JSON.stringify(payload,null,2)); } catch(e) { console.log('INVALID:',e.message); }"

Python:

JWT_TOKEN='the.jwt.here' JWT_SECRET='user-provided-secret' python3 -c "
import jwt,json,os
try:
  d=jwt.decode(os.environ['JWT_TOKEN'],os.environ['JWT_SECRET'],algorithms=['HS256'],leeway=60)
  print('VALID'); print(json.dumps(d,indent=2))
except Exception as e: print(f'INVALID: {e}')
"

JWKS verification (Node.js):

JWT_TOKEN='the.jwt.here' JWKS_URI='https://example.auth0.com/.well-known/jwks.json' node --input-type=module -e "import {jwtVerify,createRemoteJWKSet} from 'jose'; try { const {payload}=await jwtVerify(process.env.JWT_TOKEN, createRemoteJWKSet(new URL(process.env.JWKS_URI)), {algorithms:['RS256']}); console.log('VALID'); console.log(JSON.stringify(payload,null,2)); } catch(e) { console.log('INVALID:',e.message); }"

If no secret/key is provided, perform structure + claims validation only, and clearly state the signature was NOT verified.

Output Format

## JWT Validation Report
Structure: PASS
Claims:    PASS — exp 2025-06-15T12:00:00Z (expires in 2h)
Signature: PASS — RS256, key kid "abc123"
Result:    VALID

On failure:

## JWT Validation Report
Structure: PASS
Claims:    FAIL — exp 2024-01-15T12:00:00Z (expired 6 months ago)
Signature: SKIPPED
Result:    INVALID — token expired

Security Rules

Never trust the token's alg header for verification. Always use the algorithm the user expects or that matches the provided key type. Trusting the header enables algorithm confusion attacks where an attacker switches RS256 to HS256 and signs with the public key as an HMAC secret.
Always specify algorithms as an explicit allowlist in verification calls. Never pass algorithms: [decoded.header.alg].
Never pass secrets/tokens as literal command-line arguments. Use environment variables. Args are visible in shell history and ps output.
alg: none — Flag as a critical security issue. The token is unsigned and cannot be trusted.
If no key is provided, validate structure and claims only. Clearly state: "Signature was NOT verified — token authenticity is unknown."

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

First SeenJun 3, 2026

View on GitHub

JWT Validate

Verify a JWT's signature and validate its claims. Confirms the token is authentic, unexpired, and structurally sound.

Validation Order

Check in this order. Stop and report at the first failure.

1. Structure

Exactly 3 dot-separated parts, each valid base64url
Header and payload parse as valid JSON
Header contains alg; alg is not none (unless explicitly expected)

2. Claims

exp must be in the future (report time until expiry or how long ago it expired)
nbf must be in the past or present
iat must be in the past; flag if > 30 days old
iss, aud, sub — if user provides expected values, they must match
Allow 60 seconds clock skew tolerance on all time checks

3. Signature

Requires the user to provide a secret, PEM public key, or JWKS URI. Always pass secrets and tokens via inline env vars to avoid shell history exposure.

Node.js (preferred):

First, ensure jose is available — install it globally if missing:

node --input-type=module -e "await import('jose')" 2>/dev/null || npm install -g jose

Then verify the token:

JWT_TOKEN='the.jwt.here' JWT_SECRET='user-provided-secret' node --input-type=module -e "import {jwtVerify} from 'jose'; try { const {payload}=await jwtVerify(process.env.JWT_TOKEN, new TextEncoder().encode(process.env.JWT_SECRET), {algorithms:['HS256'],clockTolerance:60}); console.log('VALID'); console.log(JSON.stringify(payload,null,2)); } catch(e) { console.log('INVALID:',e.message); }"

Python:

JWT_TOKEN='the.jwt.here' JWT_SECRET='user-provided-secret' python3 -c "
import jwt,json,os
try:
  d=jwt.decode(os.environ['JWT_TOKEN'],os.environ['JWT_SECRET'],algorithms=['HS256'],leeway=60)
  print('VALID'); print(json.dumps(d,indent=2))
except Exception as e: print(f'INVALID: {e}')
"

JWKS verification (Node.js):

JWT_TOKEN='the.jwt.here' JWKS_URI='https://example.auth0.com/.well-known/jwks.json' node --input-type=module -e "import {jwtVerify,createRemoteJWKSet} from 'jose'; try { const {payload}=await jwtVerify(process.env.JWT_TOKEN, createRemoteJWKSet(new URL(process.env.JWKS_URI)), {algorithms:['RS256']}); console.log('VALID'); console.log(JSON.stringify(payload,null,2)); } catch(e) { console.log('INVALID:',e.message); }"

If no secret/key is provided, perform structure + claims validation only, and clearly state the signature was NOT verified.

Output Format

## JWT Validation Report
Structure: PASS
Claims:    PASS — exp 2025-06-15T12:00:00Z (expires in 2h)
Signature: PASS — RS256, key kid "abc123"
Result:    VALID

On failure:

## JWT Validation Report
Structure: PASS
Claims:    FAIL — exp 2024-01-15T12:00:00Z (expired 6 months ago)
Signature: SKIPPED
Result:    INVALID — token expired

Security Rules

Never trust the token's alg header for verification. Always use the algorithm the user expects or that matches the provided key type. Trusting the header enables algorithm confusion attacks where an attacker switches RS256 to HS256 and signs with the public key as an HMAC secret.
Always specify algorithms as an explicit allowlist in verification calls. Never pass algorithms: [decoded.header.alg].
Never pass secrets/tokens as literal command-line arguments. Use environment variables. Args are visible in shell history and ps output.
alg: none — Flag as a critical security issue. The token is unsigned and cannot be trusted.
If no key is provided, validate structure and claims only. Clearly state: "Signature was NOT verified — token authenticity is unknown."

Jwt Validate

Install to Claude Code

JWT Validate

Validation Order

1. Structure

2. Claims

3. Signature

Output Format

Security Rules

Jwt Validate

Install to Claude Code

JWT Validate

Validation Order

1. Structure

2. Claims

3. Signature

Output Format

Security Rules

Recommended

Recommended