JWT.io is widely known among developers for its convenient JWT debugger and its curated list of libraries supporting JSON Web Tokens across dozens of programming languages. While it's a helpful resource, there's a serious and often overlooked issue: many of the libraries listed are outdated, unmaintained, or outright insecure.

The Problem: Abandoned and Insecure Libraries

JWT.io not only showcases active libraries—it also lists libraries that haven't seen updates in years, or have even been archived entirely. This poses a significant risk to developers who rely on the site to find a reliable library for implementing JWT in their applications.

📁 Archived Repositories (No Longer Maintained)

• robbert229/jwt (archived April 2024)
• square/go-jose (archived February 2023)
• olehlong/jwtd (archived October 2021)
• zolamk/jwt (archived May 2018)
• iain-logan/jwt (archived September 2022)
• babelouest/rhonabwy (archived November 2024)
• nov/jose-php (archived January 2024)

💤 Libraries Untouched for Years

Several libraries haven’t been updated in over 5–10 years, making them highly questionable for use in modern applications.

• 2015:
  • dvsekhvalnov/jose-rt
  • tjcelaya/jwt.q
• 2016:
  • kaleidos/grails-security-stateless
• 2017:
  • nickvellios/gojwt
  • zolamk/jwt
  • garyf/json_web_token
  • garyf/json_web_token_ex
  • janjaali/spray-jwt
  • SkyLothar/lua-resty-jwt
  • emarref/jwt
  • vaibhavpandeyvpz/jweety
• 2018:
  • SermoDigital/jose
  • robbert229/jwt
  • iain-logan/jwt
• 2019:
  • kylef/JSONWebToken.swift
  • jasongoodwin/authentikat-jwt
  • cisco/cjose
• 2020:
  • olehlong/jwtd
  • Wstunes/SwiftyJWT
  • reznikmm/jwt

Maturity and Compliance: All Over the Place

The maturity of these libraries varies wildly. One supports a cryptographic algorithm that doesn’t even exist in the JWT specification: HMAC-MD5, or worse—make security design decisions that are completely unsafe.

Examples:

• One library uses a Regular Expression to extract the algorithm from the JWT header instead of parsing the JSON.
• Another signs tokens using a random string of random length and the payload as the secret.
• Some libraries only support HMAC-SHA256, offering no flexibility or standards compliance.

I also tried reporting a security issue to a Scala library: spray-jwt#5 – no response since October 2024.

Raising the Alarm

I raised this problem last year by opening an issue on the JWT.io GitHub repository. Since then, I’ve also submitted multiple pull requests:

• Add a warning about outdated libraries
• Propose removal of an abandoned library

Unfortunately, there has been little to no action so far.

Why This Matters

JWTs are commonly used for authentication and authorization—core components of application security. Using outdated or broken JWT libraries can lead to:

• Token forgery
• Authentication bypass
• Insecure cryptographic handling
• Hard-to-detect vulnerabilities in production

What Can Be Done?

1. Audit the library list: Libraries should be reviewed periodically for activity and security.
2. Add metadata: Show last update date, archive status, and supported algorithms.
3. Let the community flag problems: Add a simple reporting system for issues with listed libraries.
4. Set a minimum bar: Exclude libraries that don’t follow the JWT spec or use insecure defaults.

---

TL;DR: JWT.io is a popular and convenient tool, but the library list can be dangerous. Developers may unknowingly choose insecure or abandoned libraries. We need better transparency and active curation to keep the ecosystem secure.

Want to help? Star or comment on the issue I opened here:
👉 jsonwebtoken/jsonwebtoken.github.io#717