#01
What Is JWT?
JWT (JSON Web Token) is a compact, URL-safe token format defined by RFC 7519. It allows two parties to securely exchange information in the form of a JSON object.
A complete JWT consists of three Base64URL strings separated by dots: Header, Payload, and Signature. The Header declares the signing algorithm and token type, the Payload carries business claims (e.g. user ID, roles), and the Signature guarantees that the first two parts have not been tampered with in transit.
Our tool lets you both sign and parse tokens entirely in your browser, making it an efficient helper for debugging APIs and testing HS256 / RS256 / ES256 signatures.
#02
Common Algorithms and Claim Usage
JWT supports two main families of signing algorithms: symmetric (HS256 / HS384 / HS512) and asymmetric (RS256 / RS384 / RS512, ES256 / ES384 / ES512).
- HS256 / HS384 / HS512: HMAC-based symmetric signatures. The server and clients share a single secret key. Simple to implement and cheap to compute — a good fit for internal systems and monolithic apps.
- RS256 / RS384 / RS512: RSA key-pair signatures. Sign with the private key, verify with the public key — removes the risk of leaking a shared secret across many parties.
- ES256 / ES384 / ES512: ECDSA signatures based on elliptic curves. Signatures are shorter and computationally cheaper than RSA — ideal for resource-constrained environments.
Standard registered claims in the Payload dramatically improve verifiability: exp (expiration), nbf (not before), iat (issued at), iss (issuer), aud (audience), sub (subject). Always include exp at a minimum to prevent stale tokens from being replayed.
#03
Data Security & Privacy
Remember: the JWT Payload is only Base64-encoded, not encrypted. Anyone with the token can decode it — never store plain-text passwords, ID numbers, phone numbers, or bank card numbers inside.
Both signing and parsing in our tool happen entirely inside your browser. Nothing is uploaded to a server, and nothing is persisted to localStorage.
Additional recommendations:
- Use an incognito / private window or an offline environment when working with production secrets, then clear your input afterward.
- For production, use keys of at least 256 bits for HS256, and rotate them regularly.
- Always enforce HTTPS to prevent tokens from being intercepted on the network.
- On the server side, always verify both exp and the signature, and reject alg=none.