obfus.link

JWT Hardener decodes any JWT and audits the header and payload for security issues, returning a 0-100 score with severity-tagged findings. Hardened mode outputs a recommended replacement spec with a unified diff from current to ideal. Regression mode compares two tokens and returns structured diffs of new, fixed, and unchanged issues for CI gating.

Tier 3analyzers✓ TDD Verified

JWT Hardener

Audit and harden JWT tokens with security scoring and diff output

How to use

  1. Paste a JWTDrop in the full token string, including header, payload, and signature segments.
  2. Choose output modeaudit returns findings only. hardened adds a recommended spec with diff. both returns everything.
  3. Add compareAgainst (optional)Paste a second JWT to enable regression mode — see what changed between two token versions.
  4. Run the auditClick Run or press Ctrl+Enter. The score, issue list, and diff appear instantly.
  5. Review issues and diffCritical and high findings should be fixed before issuing the token. The diff shows exact changes.
Read technical article

MCP / API

Call jwt_hardener directly from any MCP-compatible agent:

// MCP TypeScript SDK
const result = await client.callTool({
  name: "jwt_hardener",
  arguments: {
    "token": "..."
  }
});

// curl
curl -X POST https://obfus.link/mcp \
  -H "Authorization: Bearer <SPT>" \
  -H "Content-Type: application/json" \
  -d '{"method":"tools/call","params":{"name":"jwt_hardener","arguments":{"token":"..."}}}'

Related tools

Regex Verifier
Verify, generate, explain, and translate regular expressions
LLM to JSON Cleaner
Repair malformed JSON from LLM responses with confidence scoring
JSON to Zod
Generate Zod schemas with JSDoc and branded types from any JSON

FAQ

What does JWT Hardener check for?

It detects alg:none acceptance, symmetric-only algorithms (HS256/384/512), missing or expired exp claims, missing iat or nbf, weak shared secrets, mixed algorithm headers (key confusion attacks), excessive token lifetimes, and missing audience/issuer claims. Each finding has a severity tag and a one-line fix recommendation.

What is the hardened spec output?

A recommended JWT structure (recommendedHeader and recommendedPayload) plus a unified diff showing exactly what to change. Agents pipe this directly into JWT issuance code generation. It is a spec, not a signed token — the tool has no access to signing keys.

What is regression mode?

Pass a second token via compareAgainst to compare two JWT versions. The output includes scoreChange, newIssues, and fixedIssues as structured arrays — ideal for CI pre/post comparison after an auth refactor or rotation.

Does this tool sign or verify JWTs?

No. JWT Hardener is an analyzer only. It decodes the structure and audits the header and payload but never accesses signing keys or verifies signatures. Use a dedicated JWT library for cryptographic operations.

Can I use this tool via the MCP API?

Yes. The tool is registered on the obfus.link MCP server at https://obfus.link/mcp. Call it from any MCP-compatible agent with a Shared Payment Token. The MCP tool name matches the snake_case slug shown in the integration snippet.