# JWT Decoder & Verifier MCP MCP

> JWT Decoder & Verifier provides cryptographic validation for JSON Web Tokens. This tool lets your AI client decode token claims and, critically, verify that the token's signature hasn't been tampered with and hasn't expired. It handles complex mathematical checks needed to ensure API authentication tokens are legitimate.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** jwt, cryptographic-verification, token-validation, authentication, security, signature-check

## Description

You run into a major problem when dealing with API tokens: simply reading the data inside them isn't enough. An AI agent can easily base64-decode a token, letting you see user IDs or roles. But that process tells you nothing about whether the token was forged or if it expired ten minutes ago. This MCP solves that gap by offloading the math to a dedicated V8 engine.

It lets your agent rigorously check two things: first, it extracts claims like user ID and expiration date instantly. Second, using the provided secret key, it performs a strict cryptographic signature verification. If the token's signature doesn't match the expected key, or if the token is malformed, this MCP fails fast—you know immediately that the authentication data is worthless. Since Vinkius hosts this MCP, your agent can trust that it's calling a dedicated resource designed for security-critical operations.

## Tools

### decode_jwt
Pass the JWT string and an optional secret or public key to mathematically decode its claims and validate its cryptographic signature offline.

## Prompt Examples

**Prompt:** 
```
Decode this JWT token to see what user ID is inside it.
```

**Response:** 
```
JWT Payload: Decoded successfully. User ID is 123.
```

**Prompt:** 
```
Verify this API JWT token using our master secret key.
```

**Response:** 
```
JWT Result: Cryptographic signature verified successfully.
```

**Prompt:** 
```
Check if this authentication token is expired.
```

**Response:** 
```
JWT Error: TokenExpiredError: jwt expired at 2026-01-01.
```

## Capabilities

### Verify Token Signature
It checks the mathematical integrity of the token using a secret key to confirm no one has tampered with it.

### Extract Payload Claims
You can pull out specific data points, like user IDs or roles, from the token's payload without needing network calls.

### Check Token Expiration
It determines if a token has passed its allotted lifespan, flagging it as expired instantly.

## Use Cases

### Handling a Suspicious API Call
A user reports that an endpoint is accepting tokens with manipulated claims. Instead of debugging the entire authentication flow, you pass the suspicious token to `decode_jwt`. The MCP immediately returns 'Invalid Signature,' confirming the client tried to cheat the system.

### Checking User Session Status
Your agent needs to know if a user's session is active. You pass the current token and the secret key into `decode_jwt`. If it returns an 'Expired' error, your agent knows precisely when to prompt for a refresh.

### Pre-flight Audit of Credentials
Before allowing any sensitive task, you run all incoming tokens through the MCP. This ensures that every single token has passed both signature and expiration checks before the workflow continues, stopping bad data at the gate.

## Benefits

- Stop accepting forged credentials. This MCP performs cryptographic signature checks that prove the token originated from a trusted source and hasn't been tampered with.
- Eliminate blind trust in data. You get immediate confirmation on whether a token is expired or if its contents are valid, preventing runtime errors deep within your agent logic.
- Save development time by centralizing validation. Instead of writing boilerplate crypto code for every service, you call one tool: `decode_jwt`.
- Understand the data structure instantly. You can extract user IDs and roles directly from the payload without complex parsing or multiple API calls.
- Build stronger pipelines. By using this MCP, your agent receives only validated credentials, drastically reducing your overall attack surface area.

## How It Works

The bottom line is you get a single, cryptographically sound yes/no answer on whether the token is trustworthy.

1. You give the MCP two things: the JWT string and the master secret key required for validation.
2. The MCP executes `decode_jwt`, running complex cryptographic checks against the provided secrets, checking signature validity and expiration dates in one pass.
3. It returns a definitive status—a clean success message with all decoded claims if valid, or an explicit error detailing *why* it failed (e.g., 'Token Expired' or 'Invalid Signature').

## Frequently Asked Questions

**Can I decode a token without the secret?**
Yes, if you omit the secret, it will only decode the payload, but it will not verify authenticity.

**Does it check expiration dates?**
Yes, if the secret is provided, it will automatically throw an error if the token is expired.

**What algorithms does it support?**
It supports standard JWT algorithms including HS256, HS384, and HS512.

**If I use `decode_jwt` but provide the wrong secret key, what happens?**
It returns a cryptographic signature mismatch error. The tool uses the provided secret key for strict validation; if that key doesn't match the one used to sign the token originally, it immediately fails verification.

**Does running `decode_jwt` require an external API call or internet access?**
No. This MCP operates entirely locally. It performs all mathematical signature verification and decoding within your agent's environment without needing to contact any external service over the internet.

**Can `decode_jwt` extract specific user information like roles or IDs?**
Yes, it extracts the full payload. You can read all embedded claims—including user IDs, assigned roles, and scopes—directly from the decoded JSON object.

**How does `decode_jwt` tell me if a token was forged or tampered with?**
It fails signature verification. The process mathematically checks the entire token against the secret key. If any part has been altered since signing, the cryptographic check will fail immediately.

**Is the process of using `decode_jwt` read-only?**
Yes, it is strictly read-only. This MCP reads and validates tokens; it cannot generate, alter, or write back any modified version of the JWT string itself.