General Wisdom JWT Session Validation Demo

1. Enter Session JWT

Paste the JWT token you received from General Wisdom (from ?jwt= query parameter or session creation response)

2. Decoded JWT (Client-Side)

This shows the JWT header and payload decoded without signature verification. Anyone can decode a JWT without validating it.

Header

Payload (Claims)

⚠️ Important: Decoding is NOT the same as validation. You MUST verify the signature using the JWKS endpoint to ensure the token is authentic and hasn't been tampered with.

3. Session Information

Session ID: -

User ID: -

Organization ID: -

Application ID: -

Duration: -

Start Time: -

Expires At: -

Time Remaining: -

Status: -

4. Server Validation Result

📖 How to Integrate with Your Application

Extract JWT from URL:

const token = new URLSearchParams(window.location.search).get('gwSession');

Validate signature using JWKS endpoint:

// Server-side validation required!
// Use libraries: jsonwebtoken + jwks-rsa (Node.js)
// JWKS endpoint: https://api.generalwisdom.com/.well-known/jwks.json

Verify required claims (Platform Security):
- iss must equal "generalwisdom.com"
- exp must be in the future (not expired)
- applicationId must match your application ID

Extract session data:

const sessionData = {
  sessionId: claims.sessionId,
  userId: claims.userId,
  orgId: claims.orgId,
  expiresAt: new Date(claims.exp * 1000)
};

🔒 Security Note: Always validate JWT signatures on your server. Never trust client-side decoding alone. Use the JWKS endpoint to retrieve the public key and verify the RS256 signature.

🔐 General Wisdom JWT Session Validator