JWT Generator

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three parts separated by dots: a header (algorithm and token type), a payload (claims/data), and a signature. JWTs are widely used for authentication, authorization, and information exchange in web applications and APIs.

How JWT Signing Works

JWT signing uses cryptographic algorithms to ensure the token hasn't been tampered with. HMAC algorithms (HS256, HS384, HS512) use a shared secret key — the same key signs and verifies the token. The signature is created by hashing the encoded header and payload with the secret. Anyone with the secret can verify the token's authenticity, but without the secret, forging a valid signature is computationally infeasible.

Common JWT Claims

JWT payloads contain claims — key-value pairs with information about the user or token. Standard claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time as Unix timestamp), nbf (not before), iat (issued at), and jti (unique token ID). Custom claims can hold any JSON-serializable data like user roles, permissions, or email addresses. Keep payloads small — JWTs are sent with every request.

JWT Security Best Practices

• Always set an expiration (exp) — tokens without expiry are a security risk
• Use strong secrets — at least 256 bits for HS256, ideally random bytes
• Never store sensitive data in the payload — JWTs are encoded, not encrypted
• Use HTTPS — JWTs in transit can be intercepted on unencrypted connections
• Validate all claims on the server — don't trust the client's token blindly
• Consider RS256 for distributed systems — asymmetric keys avoid sharing secrets