JWT Encoder and Decoder

Securely encode and decode JSON Web Tokens (JWT) for authentication and data exchange.

Algorithm

Signing Key

JSON Payload

Auto-set "Issued at (iat)"

JWT

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe way of representing claims to be transferred between two parties. JWT is widely used for authentication and secure information exchange in web applications. Each JWT consists of three main parts: Header, Payload, and Signature.

JWT Structure

Header: Specifies the token type (usually JWT) and the signing algorithm (e.g., HS256).
Payload: Contains the claims, typically information about the user or other metadata. For example, claims can include the user’s ID, username, and issued time.
Signature: Verifies the integrity of the token. The signature is created using the header, payload, and a secret key.

Example JWT

A sample JWT might look like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT Encode and Decode

The process of encoding and decoding a JWT involves converting the claims into a Base64-encoded string and adding a digital signature. The token is typically passed in HTTP headers during authentication.

JWT Encoding (Example)


          const header = {
            "alg": "HS256",
            "typ": "JWT"
          };

          const payload = {
            "sub": "1234567890",
            "name": "John Doe",
            "iat": 1516239022
          };

          // Create a JWT (encoded)
          const encodedToken = base64UrlEncode(header) + "." + base64UrlEncode(payload) + "." + sign(header, payload);

JWT Decoding (Example)


          const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";

          // Split the token into parts
          const [header, payload, signature] = token.split('.');

          // Decode the header and payload (they are base64Url encoded)
          const decodedHeader = base64UrlDecode(header);
          const decodedPayload = base64UrlDecode(payload);

The signature is verified using a secret key (for symmetric algorithms) or a public/private key pair (for asymmetric algorithms like RS256). JWT is widely used for secure web-based authentication, where the client receives a token upon login and sends it with each request to verify their identity.

Key Features and Tips

JWTs are self-contained, meaning all the information needed for authentication is stored within the token itself.
JWTs can be used in both cookies or Authorization headers in HTTP requests.
JWTs are not encrypted by default, so sensitive information should not be stored in them unless using a secure transmission protocol like HTTPS.
Always verify the signature of the JWT to ensure it hasn’t been tampered with.
JWT tokens typically have an expiration time (`exp` claim), which limits their validity period.
To secure JWTs, use strong secret keys for signing and validate tokens on the server side.