wyreup
inspect

Signed Cookie Decode

Verify and parse a signed cookie from Express (cookie-signature), Flask (itsdangerous), or Rails. Splits on the framework-specific separator, recomputes the HMAC under your secret, and reports valid + payload. Constant-time compare so timing can't lift the signature.

Loading…

About Signed Cookie Decode

Signed Cookie Decode verifies and parses a signed cookie from Express (cookie-signature), Flask (itsdangerous), or Rails. It splits on the framework's separator, recomputes the HMAC under the secret you provide, and reports whether the signature is valid along with the decoded payload. The comparison is constant-time so the signature can't be guessed through timing, and the whole process runs in your browser.

Category
inspect
Input
Accepts: */*.
Output
Outputs: application/json.
Cost
Free, runs in your browser
Memory
low
Privacy: Signed Cookie Decode runs entirely on your device. Files you provide never leave your browser — no uploads, no server, no tracking. The page works offline once loaded.

Common uses

  • Confirm a session cookie from your Express app is signed correctly while debugging auth
  • Decode a Flask itsdangerous session to inspect the flash messages and user id it carries
  • Check whether a Rails signed cookie validates under a rotated secret_key_base
  • Diagnose why a request is being rejected by seeing if the cookie's HMAC actually matches
  • Verify that a tampered cookie reported by a security scan really fails signature validation
  • Read the payload of a third-party signed cookie to understand its structure before integrating

Frequently asked questions

Which frameworks are supported?

Express (cookie-signature), Flask (itsdangerous), and Rails. The tool knows each one's separator and signing scheme.

Do I need the signing secret?

Yes, to verify the HMAC. Provide the same secret your app uses, and the tool reports whether the signature is valid.

Is my secret sent to a server?

No. Verification runs entirely in your browser, so the secret and cookie never leave your device, which matters because the secret is sensitive.

Why does it use a constant-time compare?

Comparing the recomputed and provided signatures in constant time prevents timing attacks that could otherwise leak the correct signature byte by byte.

What does it return?

JSON with a valid flag and the decoded payload, so you can see both whether the cookie is trustworthy and what it contains.

Keywords

  • cookie
  • session
  • signed
  • verify
  • express
  • flask
  • rails
  • itsdangerous
  • hmac

Try next

JWT Decoder
dev

Inspect bearer tokens when your auth uses JWTs instead of signed cookies.
Hash
inspect

Compute HMAC-adjacent digests when you're reasoning about how the signature is derived.
Base64
convert

Decode any base64url payload segments you find inside the cookie by hand.
Color Palette
inspect

Extract dominant colors from an image as hex codes.
Image Diff
inspect

Pixel-level diff between two images of the same dimensions.
Image Info
inspect

Extract dimensions, format, and metadata from an image.
PDF Info
inspect

Extract page count and metadata from a PDF.
Hash
inspect

Compute SHA-256, SHA-1, or SHA-512 hashes of files.
JSON Formatter
inspect

Parse and pretty-print JSON with configurable indentation.
Extract PDF Tables
export

Extract tabular data from a PDF as JSON or CSV. Works well for simple tables with aligned columns and no merged cells. Complex tables, rotated text, and scanned PDFs (images) will not extract cleanly.
Topic Keywords
text

Pull the topic-bearing nouns and noun phrases out of any text. Answers "what is this about" — not "what words appear most" (try Text Frequency for that). Runs entirely in your browser.