JWT Builder
Encode and decode JSON Web Tokens easily. Free JWT builder tool to assemble and inspect token payloads.
Encode and decode JSON Web Tokens easily. Free JWT builder tool to assemble and inspect token payloads.
A JWT is a compact, URL-safe token that encodes a JSON payload and a cryptographic signature. It is widely used for stateless authentication — the server validates the signature without needing to look up a session in a database.
alg) and token type (typ: "JWT")sub (subject), iat (issued at), exp (expiry), plus custom dataxxxxx.yyyyy.zzzzzNo — the header and payload are Base64URL encoded, not encrypted. Anyone who holds the token can decode and read the payload without the secret key. Never store sensitive data (passwords, SSNs, credit cards) in a JWT payload unless you use JWE (JSON Web Encryption).
HS256 uses a single shared secret that both signs and verifies — if you share the secret, the receiver can also create tokens. RS256 uses a private key to sign and a public key to verify — you can publish the public key so anyone can verify tokens without being able to create them.
Standard JWTs are stateless and cannot be revoked individually. Common workarounds: keep a server-side blocklist of invalidated token IDs (jti claim), use short expiry times with refresh tokens, or switch to opaque session tokens for scenarios requiring immediate invalidation.