home / skills / aidotnet / moyucode / jwt-decoder

jwt-decoder skill

safe

This skill enables decoding, verifying, and generating JWTs across algorithms, helping you secure tokens and streamline authentication workflows.

npx playbooks add skill aidotnet/moyucode --skill jwt-decoder

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

861 B

---
name: jwt-decoder
description: 解码、验证和生成JWT令牌，支持多种算法。
metadata:
  short-description: JWT令牌工具
source:
  repository: https://github.com/jpadilla/pyjwt
  license: MIT
---

# JWT Decoder Tool

## Description
Decode, verify, and generate JWT (JSON Web Tokens) with support for HS256, RS256, and other algorithms.

## Trigger
- `/jwt` command
- User needs to decode JWT
- User wants to verify tokens

## Usage

```bash
# Decode JWT (no verification)
python scripts/jwt_decoder.py decode "eyJhbGciOiJIUzI1NiIs..."

# Verify JWT with secret
python scripts/jwt_decoder.py verify "eyJ..." --secret "your-secret"

# Generate JWT
python scripts/jwt_decoder.py generate --payload '{"sub": "user123"}' --secret "secret"
```

## Tags
`jwt`, `token`, `auth`, `decode`, `security`

## Compatibility
- Codex: ✅
- Claude Code: ✅

Overview

This skill decodes, verifies, and generates JWT (JSON Web Tokens) with support for common algorithms like HS256 and RS256. It provides quick token inspection, signature verification against secrets or keys, and token creation from JSON payloads. Designed for developers and security engineers needing a lightweight token tool.

How this skill works

The skill accepts raw JWT strings and splits header, payload, and signature for readable decoding without altering the token. For verification, it checks the signature using the provided secret or public key and validates standard claims (exp, nbf, iat) when present. It can also generate new tokens from a JSON payload and sign them with a chosen algorithm and key.

When to use it

Inspect an unfamiliar JWT to view header and payload claims.
Validate a token’s signature and expiration before granting access.
Create test tokens for development or integration testing.
Quickly debug authentication issues by comparing decoded values with expected claims.
Convert between algorithm types or re-sign tokens with a different key.

Best practices

Always verify signatures and claim validity (exp, nbf, aud, iss) before trusting token contents.
Use RS256 (asymmetric) for production where possible; keep private keys secure and rotate regularly.
Never decode only for security decisions—decoding is unauthenticated; always run verification when authenticity matters.
Keep secrets and private keys out of source code and CI logs; use environment variables or secret stores.
Limit token lifetime and include audience/issuer claims for stricter validation.

Example use cases

Decode a token to inspect user id, roles, and expiration in a bug report.
Verify incoming API tokens with the configured secret or public key before processing requests.
Generate short-lived JWTs for local integration tests or service-to-service mockups.
Re-sign tokens with RS256 for migration from HS256 and test compatibility.
Check token claim structure when implementing new authentication middleware.

FAQ

Can it verify tokens signed with RS256?

Yes. Provide the appropriate public key for verification; private keys are used only for signing when generating tokens.

Does decoding validate the token automatically?

No. Decoding only shows header and payload. Perform verification with a secret or key to confirm authenticity and claim validity.