What is a JSON Web Token (JWT)?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
The Three Parts of a JWT
In its encoded form, a JSON Web Token is a string consisting of three parts separated by dots (.):
- Header: Typically consists of two parts: the type of the token (which is JWT) and the signing algorithm being used (such as HMAC SHA256 or RSA).
- Payload: Contains the "claims". Claims are statements about an entity (typically, the user) and additional data (such as issuing authority
iss, expiration timeexp, and subjectsub). - Signature: To create the signature, you must take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. This signature is used to verify that the sender is who they say they are and to ensure the message wasn't changed along the way.
Common JWT Claims
The payload of a JWT contains claims that define session values. Standard claims include:
sub(Subject): Identifies the user or client ID.iss(Issuer): Identifies who created and issued the token.exp(Expiration Time): The Unix epoch timestamp indicating when the token expires and becomes invalid.iat(Issued At): The Unix epoch timestamp indicating when the token was created.
Is it secure to paste my JWTs here?
Yes. Our JWT tool is designed for debugging and troubleshooting and executes **100% client-side in your web browser**. No token data, header details, signature components, or claims payloads are sent to our servers. Because of this, it is perfectly safe for local debugging. *Note: You should never share your signing secrets or private keys on public forums.*