JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs can be verified and trusted because they are digitally signed. They can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
A JWT consists of three parts separated by dots (.):
- Header - Typically contains the token type and the signing algorithm being used
- Payload - Contains the claims or the JWT's data
- Signature - Used to verify that the sender of the JWT is who it says it is and to ensure the message wasn't changed along the way
Yes! JWT Toolbox processes everything in your browser. Your tokens, keys, and data never leave your device or get sent to any server. All cryptographic operations are performed locally using JavaScript. You can even disconnect from the internet after loading the page and the tools will continue to work.
JWT Toolbox currently supports the following HMAC algorithms:
- HS256 (HMAC with SHA-256)
- HS384 (HMAC with SHA-384)
- HS512 (HMAC with SHA-512)
These are the most commonly used symmetric algorithms for JWT tokens.
To verify a JWT token:
- Paste your JWT token in the decoder input field
- Enter the secret key used to sign the token
- Click the "Verify Signature" button
The tool will compute the signature using the provided secret and compare it with the signature in the token.
Common standard claims include:
iss(Issuer): Who issued the tokensub(Subject): Who the token refers toaud(Audience): Who the token is intended forexp(Expiration Time): When the token expiresnbf(Not Before): When the token starts being validiat(Issued At): When the token was issuedjti(JWT ID): Unique identifier for the token
You can add custom claims as needed for your application.
Yes! Once you've loaded the JWT Toolbox website, it will work completely offline. All processing happens in your browser, so no internet connection is required after the initial page load.