Developer Playground
JWT Tool
JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. This tool allows you to decode, verify, and generate JWTs. JWTs are commonly used for authentication and information exchange in web applications.
JWT Generator
Create a new JWT token by setting the header, payload, and signing with a secret key.
JWT Decoder
Paste your JWT token below to decode its header and payload.
JWT Verification
Verify a JWT token against a secret key or public key.
Common JWT Claims
The following are standard JWT claims that you can include in your payload:
| Claim | Description |
|---|---|
| iss | Issuer of the token |
| sub | Subject of the token (usually user ID) |
| aud | Audience the token is intended for |
| exp | Expiration time (Unix timestamp) |
| nbf | Not before time (Unix timestamp) |
| iat | Issued at time (Unix timestamp) |
| jti | JWT ID (unique identifier for the token) |
What is a JSON Web Token (JWT)?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWT vs. Session-based Auth
Why use JWT instead of traditional sessions?
- Stateless: The server doesn't need to store session data in memory or a database. Everything required to identify the user is inside the token.
- Scalability: Since it's stateless, any server in a cluster can verify the token, making horizontal scaling much easier.
- Cross-Domain: JWTs work seamlessly across different domains and mobile apps, whereas cookies/sessions often face CORS limitations.
Common JWT Vulnerabilities
When implementing JWT, beware of these common security pitfalls:
- Weak Secret Keys: Using a simple or short secret makes it easy for attackers to brute-force the signature. Always use a long, complex, cryptographically secure key.
- The "None" Algorithm: Some old libraries allowed an
alg: "none"header, which bypasses signature verification. Modern libraries block this by default. - Sensitive Data in Payload: Remember that the payload is only Base64 encoded, not encrypted. Never put passwords, social security numbers, or sensitive data in a JWT.
Best Practices for JWT Security
- Short Expiration: Set a short
exp(e.g., 15 minutes) to minimize the window of opportunity if a token is stolen. - Use Refresh Tokens: Use a short-lived Access Token and a long-lived Refresh Token stored securely (e.g., HTTP-only cookie).
- Secure Storage: Never store JWTs in
localStorageif you are vulnerable to XSS. HTTP-only cookies are a safer alternative for web browsers. - Validate Claims: Always check the
iss(issuer),aud(audience), andexp(expiration) claims on the server side.
How to use this tool
Our tool provides three main features:
Generate: Create a new JWT by specifying your own payload, secret key, and algorithm.
Decode: Paste any JWT to instantly view its header and payload contents without needing the secret key.
Verify: Paste a JWT and provide the corresponding secret key or public key to verify its signature and ensure the token hasn't been tampered with.