What is a JWT?

A JSON Web Token is three Base64URL‑encoded parts joined by dots: header.payload.signature. The header declares type and alg (for example, HS256, RS256). The payload carries claims such as iss (issuer), sub (subject), aud (audience), exp (expiration), and custom fields. The signature is computed over header and payload with a shared secret (HMAC) or private key (RSA/ECDSA), allowing recipients to verify integrity and authenticity statelessly.

How JWTs work

A server authenticates a user, signs a token, and returns it to the client. Clients include the token in Authorization: Bearer <JWT>. The server verifies the signature, checks exp and nbf, then applies authorization based on scopes/roles. Because JWTs are self‑contained, they scale well across microservices and CDNs, but require strict key rotation, short lifetimes, and careful claim design to avoid bloat or leakage.

About the JWT Creator tool

Choose HS256/HS384/HS512 for HMAC with a shared secret or RS256/ES256 for asymmetric keys. Set standard claims (iss, sub, aud, exp, nbf, iat, jti) and add custom claims, then sign to produce the JWT. Copy the token into curl or your HTTP client to test protected endpoints. Don’t expose real secrets in browsers; never store private keys in client code.

FAQ