Skip to main content

JSON web token



The JSON web token detector aims at catching any JSON web token that are sensitive and not expired.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.


As defined in the RFC 7519, a JSON web token (JWT) is composed of three base64 encoded parts concatenated: a header, a payload and a signature. The payload component is the sensitive part that the detector checks: it may provide an expiration date and a pair key/value. The JWT detector triggers an alert if the token has not expired and if it contains sensitive keys such as password, secret or token.

Unlike other generic detectors, the JWT detector does not require any specific validators (pre or post) except GitGuardian's default filename banlist prevalidator. In fact, since the decoded values have specific patterns, they are easy to identify.

Revoke the secret#

This detector catches json web tokens, hence GitGuardian cannot infer the concerned service. To properly revoke the json web token :

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the json web token.


Examples that WILL be caught

- text: >    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNjc0MDA1NDIyLCJwYXNzd29yZCI6IklqNzg2I2I0bGwxIn0.o99hhHHQt2ztFyNjaQbkuakAz9bT1Kc-GsvphHn_gQs  token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNjc0MDA1NDIyLCJwYXNzd29yZCI6IklqNzg2I2I0bGwxIn0.o99hhHHQt2ztFyNjaQbkuakAz9bT1Kc-GsvphHn_gQs  decoded_token: {"alg":"HS256","typ":"JWT"}{"sub":"1234567890","name":"John Doe","exp":1674005422,"password":"Ij786#b4ll1"}{some_signature_value}

This example token contains both a correct expiration date (01/01/2023) and a sensitive key (password).

Examples that WILL NOT be caught

  • No expiration date but no sensitive keys.
- text: >    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c  token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c  decoded_token: {"alg": "HS256","typ": "JWT"}{"sub": "1234567890","name": "John Doe","iat": 1516239022}{some_signature_value}
  • Sensitive key (password), but expiration date is passed (01/01/2018).
- text: >    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNTE2MjM5MDIyLCJwYXNzd29yZCI6IklqNzg2I2I0bGwxIn0.WRqpzRexYnJzNk0y4a-IDb4DaFjPVsdc0IjQrrTFcjc  token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNTE2MjM5MDIyLCJwYXNzd29yZCI6IklqNzg2I2I0bGwxIn0.WRqpzRexYnJzNk0y4a-IDb4DaFjPVsdc0IjQrrTFcjc  decoded_token: {"alg": "HS256","typ": "JWT"}{"sub": "1234567890","name": "John Doe","exp": 1516239022, "password":"Ij786#b4ll1"}{some_signature_value}

Details for JSON web token#

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 1

  • Occurrences found for one million commits: 20.42

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:    - html    - css    - md    - lock    - storyboard    - xib  banlist_filenames:    - node_modules(/|\\)    - vendors?(/|\\)    - top-1000\.txt$    - \.sops$    - \.sops\.yaml$  check_binaries: false