Security Batch Processing 2026-04-07

Bulk JWT Decode and Audit Tokens

Decode and audit hundreds of JWT tokens from logs, databases, or API responses. Extract claims, check expiry, and identify misconfigured tokens at scale.

Tools used: JWT Decoder + Base64 Encoder All Free

The Problem

You have a log file with hundreds of JWT tokens and need to find expired ones, check which users are affected, or audit claim patterns. Decoding them one by one in a web tool isn't practical.

Why Batch Processing Matters

Bulk JWT inspection is critical for security audits (finding tokens with excessive permissions), debugging auth failures across services, monitoring token expiry patterns, and compliance reporting. Automating this turns a day-long manual audit into a 30-second script.

Common Use Cases

Audit all active JWT tokens for expired or soon-to-expire sessions
Extract user IDs and roles from access logs for compliance reports
Find tokens with overly broad permissions across microservices
Debug authentication failures by comparing token claims across environments

Step-by-Step Instructions

Extract JWT tokens from your source

Pull tokens from log files, database exports, or API responses. JWTs start with eyJ — use grep to extract them: grep -oP 'eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+' access.log

Decode the payload section

A JWT has three parts separated by dots. The middle part is the Base64url-encoded payload. Decode it to read the claims (user ID, roles, expiry).

Run the bulk decode script

Use the scripts below to decode all tokens and output a summary CSV with key claims, expiry status, and any anomalies.

Analyze and filter results

Sort by expiry to find tokens that need rotation. Filter by role to audit permissions. Group by issuer to identify misconfigured services.

Code Examples

# Extract and decode all JWTs from a log file
grep -oP 'eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+' access.log | \
while read token; do
  payload=$(echo "$token" | cut -d. -f2 | tr '_-' '/+' | base64 -d 2>/dev/null)
  exp=$(echo "$payload" | jq -r '.exp // empty')
  sub=$(echo "$payload" | jq -r '.sub // empty')
  if [ -n "$exp" ]; then
    now=$(date +%s)
    status=$( [ "$exp" -lt "$now" ] && echo "EXPIRED" || echo "valid" )
    echo "$sub,$exp,$status"
  fi
done | sort -t, -k3

# Quick count of expired vs valid tokens
echo "--- Summary ---"
grep -c "EXPIRED" results.csv && echo "expired"
grep -c "valid" results.csv && echo "valid"

import base64
import json
import re
import csv
import time
from pathlib import Path


def decode_jwt_payload(token: str) -> dict | None:
    """Decode JWT payload without verification."""
    try:
        parts = token.split(".")
        if len(parts) != 3:
            return None
        payload = parts[1]
        # Add padding
        payload += "=" * (4 - len(payload) % 4)
        decoded = base64.urlsafe_b64decode(payload)
        return json.loads(decoded)
    except Exception:
        return None


# Extract JWTs from log file
log_text = Path("access.log").read_text()
jwt_pattern = r'eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+'
tokens = re.findall(jwt_pattern, log_text)
now = int(time.time())

# Decode and audit
with open("jwt_audit.csv", "w", newline="") as f:
    writer = csv.writer(f)
    writer.writerow(["subject", "issuer", "expires", "status", "roles"])
    for token in tokens:
        payload = decode_jwt_payload(token)
        if not payload:
            continue
        exp = payload.get("exp", 0)
        status = "EXPIRED" if exp < now else "valid"
        writer.writerow([
            payload.get("sub", ""),
            payload.get("iss", ""),
            exp,
            status,
            payload.get("roles", payload.get("role", "")),
        ])

print(f"Audited {len(tokens)} tokens → jwt_audit.csv")

const fs = require('fs');

function decodeJwtPayload(token) {
  try {
    const parts = token.split('.');
    if (parts.length !== 3) return null;
    const payload = Buffer.from(parts[1], 'base64url').toString();
    return JSON.parse(payload);
  } catch { return null; }
}

const logText = fs.readFileSync('access.log', 'utf-8');
const jwtRegex = /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g;
const tokens = logText.match(jwtRegex) || [];
const now = Math.floor(Date.now() / 1000);

const results = tokens.map(token => {
  const payload = decodeJwtPayload(token);
  if (!payload) return null;
  return {
    sub: payload.sub || '',
    iss: payload.iss || '',
    exp: payload.exp || 0,
    status: (payload.exp || 0) < now ? 'EXPIRED' : 'valid',
    roles: payload.roles || payload.role || '',
  };
}).filter(Boolean);

// Write CSV
const header = 'subject,issuer,expires,status,roles\n';
const rows = results.map(r =>
  `${r.sub},${r.iss},${r.exp},${r.status},${r.roles}`
).join('\n');
fs.writeFileSync('jwt_audit.csv', header + rows);
console.log(`Audited ${tokens.length} tokens`);

Single vs Batch Comparison

Single token (web tool)

Paste one JWT → see header + payload + expiry

Batch audit output

$ python jwt_audit.py
Audited 342 tokens → jwt_audit.csv

subject,issuer,expires,status,roles
user_123,auth.example.com,1712505600,valid,admin
user_456,auth.example.com,1709827200,EXPIRED,user
svc_billing,internal-auth,1712592000,valid,service
...
Summary: 298 valid, 44 EXPIRED

Download Workflow Template

Save this JSON workflow template to automate this process in your CI/CD pipeline or scripts.

Download jwt-auth-debug-workflow.json

Frequently Asked Questions

Is it safe to decode JWT tokens in bulk?

Decoding (reading the payload) is safe — it doesn't verify or validate the token. However, treat token data as sensitive: don't commit audit CSVs to public repos, and don't decode production tokens on untrusted machines.

Can I verify JWT signatures in batch?

Yes, but you need the signing key. For HS256, pass the shared secret. For RS256, use the public key or JWKS endpoint. Python's pyjwt and Node's jsonwebtoken libraries support batch verification.

How do I extract JWTs from HTTP headers in logs?

Most logs store tokens in the Authorization header. Use: grep -oP 'Bearer \K[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+' access.log to extract just the token part.

Related Batch Guides

📦

Each tool runs in your browser with no signup required. Process single items instantly.

Open JWT Decoder Open Base64 Encoder

← All Batch Guides All Developer Guides