Advertisement

JWT Builder

Encode and decode JSON Web Tokens easily. Free JWT builder tool to assemble and inspect token payloads.

Advertisement

JSON Web Tokens (JWT)

A JWT is a compact, URL-safe token that encodes a JSON payload and a cryptographic signature. It is widely used for stateless authentication — the server validates the signature without needing to look up a session in a database.

JWT Structure

Common Algorithms

Is the JWT payload encrypted?

No — the header and payload are Base64URL encoded, not encrypted. Anyone who holds the token can decode and read the payload without the secret key. Never store sensitive data (passwords, SSNs, credit cards) in a JWT payload unless you use JWE (JSON Web Encryption).

What is the difference between HS256 and RS256?

HS256 uses a single shared secret that both signs and verifies — if you share the secret, the receiver can also create tokens. RS256 uses a private key to sign and a public key to verify — you can publish the public key so anyone can verify tokens without being able to create them.

How do I invalidate a JWT before it expires?

Standard JWTs are stateless and cannot be revoked individually. Common workarounds: keep a server-side blocklist of invalidated token IDs (jti claim), use short expiry times with refresh tokens, or switch to opaque session tokens for scenarios requiring immediate invalidation.