JWT Encoder/Decoder

What is JWT (JSON Web Token)?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. Because of its small size using Base64Url encoding, it can be sent via URL, POST parameter, or inside an HTTP header.

The Structure of a JWT

A JWT technically consists of three parts separated by dots (.), which are:

• Header : The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
• Payload : The payload contains the claims. Claims are statements about an entity (typically the user) and additional data. There are three types of claims: registered, public, and private claims.
• Signature : To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. The signature is used to verify the message wasn't changed along the way.

Supported Algorithms

This tool supports decoding and verification for all standard algorithms and generation for symmetric ones:

• HS256: HS256 (HMAC SHA-256): Symmetric. Requires a shared secret key. Fast and common for microservices.
• HS384: HS384 (HMAC SHA-384): Symmetric. Uses a 384-bit hash for higher collision resistance.
• HS512: HS512 (HMAC SHA-512): Symmetric. Uses a 512-bit hash. Most secure for symmetric signing.
• RS256: RS256 (RSA SHA-256): Asymmetric. Uses a Private Key to sign and a Public Key to verify. Ideal for public APIs.
• RS384: RS384 (RSA SHA-384): Asymmetric. Stronger hashing than RS256.
• RS512: RS512 (RSA SHA-512): Asymmetric. Highest security for RSA signatures.

Understanding JWT Claims

Claims are pieces of information asserted about a subject. Standard registered claims include:

• iss (Issuer): iss (Issuer): Identifies the principal that issued the JWT.
• sub (Subject): sub (Subject): Identifies the principal that is the subject of the JWT.
• aud (Audience): aud (Audience): Identifies the recipients that the JWT is intended for.
• exp (Expiration Time): exp (Expiration Time): Identifies the expiration time on or after which the JWT must not be accepted.
• nbf (Not Before): nbf (Not Before): Identifies the time before which the JWT must not be accepted.
• iat (Issued At): iat (Issued At): Identifies the time at which the JWT was issued.
• jti (JWT ID): jti (JWT ID): Provides a unique identifier for the JWT.

When Should You Use JWT?

• Authorization: This is the most common scenario. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.
• Information Exchange: JWTs are a good way of securely transmitting information between parties. Because JWTs can be signed, you can be sure the senders are who they say they are.
• Stateless Sessions: Unlike server-side sessions, JWTs contain all necessary user data, reducing database hits for session lookups.
• Cross-Domain SSO: Because JWTs are stateless and compact, they are easily transmitted across different domains for Single Sign-On implementations.
• API Security: Securing RESTful APIs where the server does not maintain session state.

References

• RFC 7519 - JSON Web Token (JWT) Specification
• JWT.io - Official Industry Resource
• MDN Web Docs: Crypto API