Question 1

What is a JSON Web Token (JWT)?

Accepted Answer

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are digitally signed using a secret (HMAC) or a public/private key pair (RSA or ECDSA), ensuring the data hasn't been tampered with. They consist of three parts: a header, a payload, and a signature, separated by dots.

Question 2

What are the three parts of a JWT?

Accepted Answer

A JWT has three Base64URL-encoded parts separated by dots: (1) Header — contains the signing algorithm (alg) and token type (typ), e.g. {"alg": "HS256", "typ": "JWT"}. (2) Payload — contains claims, which are statements about the entity (user) and additional metadata like expiration (exp), issued-at (iat), and subject (sub). (3) Signature — created by signing the encoded header and payload with a secret key using the algorithm specified in the header.

Question 3

How does JWT authentication work?

Accepted Answer

In a typical flow: (1) The user logs in with credentials. (2) The server verifies credentials and creates a JWT signed with a secret key, embedding user identity and permissions in the payload. (3) The JWT is sent to the client (usually in a response body or Set-Cookie header). (4) The client includes the JWT in subsequent requests (typically in the Authorization: Bearer header). (5) The server verifies the JWT signature and extracts claims without hitting a database.

Question 4

What is the difference between HS256 and RS256?

Accepted Answer

HS256 (HMAC with SHA-256) uses a single shared secret for both signing and verification — both parties must know the same secret. RS256 (RSA with SHA-256) uses an asymmetric key pair: a private key signs the token and a public key verifies it. RS256 is preferred in distributed systems where you want multiple services to verify tokens without sharing a private key. HS256 is simpler and faster, suitable for single-server setups.

Question 5

Are JWTs encrypted? Is it safe to put sensitive data in a JWT?

Accepted Answer

Standard JWTs (JWS) are signed but NOT encrypted — the payload is Base64URL-encoded, which is easily decoded by anyone. Never put passwords, credit card numbers, or other secrets in a JWT payload. If you need encryption, use JWE (JSON Web Encryption), which encrypts the payload. In practice, JWTs typically contain non-sensitive identifiers (user ID, roles, expiration) rather than actual secrets.

Question 6

What are registered claims in a JWT?

Accepted Answer

Registered claims are predefined, standardized claim names recommended by the JWT specification: iss (issuer), sub (subject), aud (audience), exp (expiration time as Unix epoch seconds), nbf (not before — token is invalid before this time), iat (issued at), and jti (JWT ID — unique identifier to prevent replay attacks). These are not mandatory but are widely recognized and expected by JWT libraries.

Question 7

How do I handle JWT expiration?

Accepted Answer

Set the 'exp' claim to a Unix epoch timestamp when the token should expire. Short-lived access tokens (5-15 minutes) are paired with longer-lived refresh tokens (days/weeks). When an access token expires, the client uses the refresh token to request a new access token without re-authenticating. This limits the damage window if an access token is compromised.

Question 8

What is JWT.io and how does this tool compare?

Accepted Answer

JWT.io is a popular online debugger by Auth0 for decoding, verifying, and generating JWTs. Our JWT Playground provides similar functionality — paste a token to instantly decode the header and payload, verify the signature with a secret, and encode new tokens. Everything runs in your browser using the Web Crypto API — no tokens are sent to any server, ensuring complete privacy.

Question 9

Can JWTs be revoked or invalidated?

Accepted Answer

JWTs are stateless by design — once issued, they're valid until they expire. To 'revoke' a JWT, you need a server-side mechanism: (1) A blocklist/denylist of revoked token IDs (jti) checked on each request. (2) Short expiration times so tokens naturally expire quickly. (3) Rotating the signing secret (invalidates ALL tokens). (4) Token versioning — increment a version counter in the user record and embed it in the JWT. These add statefulness but are necessary for logout and security.

Question 10

What is the difference between JWT, JWS, JWE, and JWK?

Accepted Answer

JWT (JSON Web Token) is the abstract concept of a compact claims token. JWS (JSON Web Signature) is a JWT that's signed for integrity — this is what most people mean by 'JWT'. JWE (JSON Web Encryption) is a JWT that's encrypted for confidentiality. JWK (JSON Web Key) is a JSON format for representing cryptographic keys, often used in JWKS (JSON Web Key Set) endpoints for key distribution in OAuth/OIDC systems.

Question 11

How do I decode a JWT without a library?

Accepted Answer

Split the token by dots to get header, payload, and signature. Base64URL-decode the header and payload (replace - with +, _ with /, add padding, then atob/base64decode). Parse the resulting strings as JSON. In JavaScript: JSON.parse(atob(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/'))). Note: this decodes but doesn't verify the signature — always verify before trusting the claims.

Question 12

Where should I store JWTs on the client side?

Accepted Answer

The two main options are: (1) HttpOnly cookies — protected against XSS attacks since JavaScript can't access them, but vulnerable to CSRF (mitigate with SameSite attribute and CSRF tokens). (2) localStorage/sessionStorage — accessible via JavaScript (convenient for SPAs) but vulnerable to XSS attacks. HttpOnly cookies are generally recommended for web applications. Never store JWTs in regular cookies without HttpOnly flag.

JWT Decoder, Encoder & Verifier

Related Tools

Epoch Converter

Base64 Encoder/Decoder

JSON Editor

What is a JSON Web Token (JWT)?

How Does JWT Authentication Work?

Why Use This JWT Debugger?

JWT Security Best Practices

Frequently Asked Questions About JSON Web Tokens