JWT Decoder
Decode and inspect JSON Web Tokens with expiration checking.
Sign a JSON Web Token with HS256, HS384, or HS512 directly in your browser. Type your header and payload, pick an algorithm, supply a secret, and get the signed token — header, payload, and signature joined into the standard <code>xxx.yyy.zzz</code> shape. Signing uses the Web Crypto API, so nothing is ever sent to a server. Pair with the <a href="/jwt-decoder/">JWT decoder</a> to verify the output round-trips correctly.
header.payload.signature. Copy and use it in an Authorization: Bearer header or wherever you need.A JWT is built in three steps. First, the header is JSON describing the signing algorithm and the token type — typically {"alg":"HS256","typ":"JWT"}. Second, the payload is JSON containing claims like sub (subject — usually a user ID), iat (issued at, a Unix timestamp), exp (expiration, also a timestamp), and any custom fields your app needs. Third, the signature is computed over the base64url-encoded header and payload joined by a dot, using HMAC-SHA256 (for HS256) and the shared secret. All three parts are then base64url-encoded and joined with dots to produce the final header.payload.signature string.
Receivers verify a JWT by re-computing the signature from the received header and payload using the shared secret, then comparing it against the signature in the token. If the bytes match, the token wasn't tampered with after signing. If they don't, the token is rejected. This is why HMAC JWTs work for stateless auth: any service that holds the secret can verify any token without contacting a central server.
The most important security rule is to validate the alg field on the receiving side and refuse any algorithm you didn't expect. The infamous alg: none attack exploited servers that trusted the token's claimed algorithm; modern libraries hard-code which algorithms are acceptable. Also validate exp (reject expired tokens) and ideally iss (the issuer) and aud (the audience) before trusting any claims in the payload.
crypto.randomBytes(32), Python's secrets.token_bytes(32), or the password generator with 32+ characters). Never use a human-typed password or a value short enough to fit in a config file comment.