Can a leaked JWT be used to log into my account?

Yes, if the token hasn't expired. JWTs are self-contained — they carry your identity and permissions inside the token itself. Anyone who has a valid, non-expired JWT can use it to make authenticated API requests as you, without knowing your password. That's why detecting leaked tokens quickly is critical.

Does PhishClean store or transmit the tokens it finds?

No. PhishClean's JWT detection happens inside your browser tab — nothing leaves your machine. It spots the token pattern and shows you an alert, but the actual token content is never sent to PhishClean servers or any third party. We don't even see which sites you visit.

Pro Feature

JWT Token Leak Detection

Auth0 reports that over 80% of web applications use JWTs for authentication — making token leaks one of the most widespread security risks on the web. Developers treat JWTs like session cookies, but they're really self-contained access passes — and when one leaks, the attacker doesn't need your password to become you.

What JWT Token Leaks Does PhishClean Detect?

🎫

Live Session Tokens

JWTs sitting in page source, URL parameters, or JavaScript variables. If it's on the page and it hasn't expired, anyone visiting can grab it and replay it against your API. That's instant account takeover.

🔓

Expired Tokens (Still Dangerous)

An expired JWT can't be used to authenticate directly. But it still leaks your user ID, email, role, and internal API structure — useful reconnaissance for a targeted attack.

⚠️

Weak or Unsigned Tokens

JWTs using alg: "none" or HS256 with a guessable secret. These can be forged — an attacker changes "role":"user" to "role":"admin" and the server accepts it.

What a JWT Actually Looks Like

// Three base64-encoded parts separated by dots:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwiZW1haWwiOiJ1c2VyQGV4YW1wbGUuY29tIiwicm9sZSI6ImFkbWluIn0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

// Anyone can decode the middle part. No key needed:
{ "sub": "1234567890", "email": "user@example.com", "role": "admin" }

That middle section is just base64 — not encrypted. Anyone can paste it into jwt.io and read the contents. If this token appears anywhere on a web page, you have a problem.

A Real Scenario

Here's something we see more often than you'd think: a developer adds console.log(token) while debugging authentication. It works, they ship the fix, and forget to remove the log statement. Now every user's JWT gets printed to the browser console — and any injected script or hidden iframe on the page can read it.

Another common one: tokens passed as URL query parameters. https://app.com/dashboard?token=eyJhbG... — this gets logged by analytics tools, proxies, browser history, and any extension with URL access. If you're storing tokens in localStorage, any XSS vulnerability on the page exposes them too.

How Does JWT Leak Detection Work?

Pattern scan. When a page loads, PhishClean checks the page source, inline scripts, URL parameters, and localStorage for the telltale JWT pattern — three base64 segments joined by dots.

Local decode. Matched tokens are decoded right in your browser. We check the algorithm header, expiration claim, and what's in the payload — without sending anything anywhere.

Risk rating. A live admin token in page source? Critical. An expired token in a jwt.io tutorial? Low risk. Context matters, and we account for it.

Alert with details. You see the token type, whether it's expired, what roles it carries, and where on the page it was found. You decide what to do next.

Why JWT Leaks Are Different From Other Secret Leaks

A leaked API key is bad. A leaked JWT is often worse. Here's why:

JWTs are self-contained. They carry everything needed to authenticate — the server doesn't need to look anything up. Whoever has the token is the user, as far as the API is concerned.
Many JWTs have long expiration windows. We've seen tokens valid for 24 hours, 7 days, even 30 days. That's a long window for an attacker to operate in.
Unlike API keys, JWTs typically can't be rotated without logging out the user. There's no "revoke this specific token" button in most implementations.
Decoded JWTs reveal internal structure — user IDs, permission schemes, API endpoints — that helps attackers plan follow-up attacks even after the token expires.

PhishClean's JWT detection works alongside its other 13 signals. A JWT on a phishing page compounds the risk score. A JWT plus an HTTPS downgrade is a red flag that something is actively being intercepted.

Related Protection

Catch Leaked Tokens Before They're Exploited

PhishClean detects exposed JWTs on every page — locally, in real time. 3-day free trial, no credit card required.

Install PhishClean