DevKitFlow - Free Online Developer Tools

Introduction

JSON Web Tokens (JWT) are an open, industry-standard RFC 7519 method for representing claims securely between two parties.

Beginner Guide

Getting Started with JWT

#

What is JWT?

JWT is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure.

#

JWT Structure

A JWT consists of three parts separated by dots:

1. Header: Contains the algorithm and token type 2. Payload: Contains the claims (data) 3. Signature: Verifies the token integrity

``header.payload.signature`

#

`Example JWT`

`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c`

#

`Decoded JWT`

Header:`json { "alg": "HS256", "typ": "JWT" }`

Payload:`json { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }`

#

`Common Claims`

iss - Issuer

sub - Subject

aud - Audience

exp - Expiration time

nbf - Not before

iat - Issued at

jti` - JWT ID

Advanced Guide

Advanced JWT Concepts

#

JWT Algorithms

JWT supports various signing algorithms:

Symmetric (Shared Secret):

HS256 - HMAC SHA-256

HS384 - HMAC SHA-384

HS512 - HMAC SHA-512

Asymmetric (Public/Private Key):

RS256 - RSA SHA-256

RS384 - RSA SHA-384

RS512 - RSA SHA-512

ES256 - ECDSA SHA-256

ES384 - ECDSA SHA-384

ES512 - ECDSA SHA-512

#

JWT Best Practices

1. Always use HTTPS - Never transmit JWT over plain HTTP 2. Set expiration - Always include exp claim 3. Use strong algorithms - Prefer RS256 or ES256 over HS256 for distributed systems 4. Store securely - Store JWT in HttpOnly, Secure cookies or local storage 5. Validate all claims - Don't trust the token blindly 6. Use short-lived tokens - Combine with refresh tokens

#

Refresh Tokens

Refresh tokens are used to obtain new access tokens:

1. User authenticates with username/password 2. Server returns access token (short-lived) and refresh token (long-lived) 3. When access token expires, client uses refresh token to get new access token 4. Refresh tokens should be stored securely

#

Token Revocation

JWT is stateless by design, which makes revocation challenging:

Use a token blacklist (database lookup)

Shorten token expiration

Use reference tokens (store token data server-side)

Common Errors

Storing JWT in localStorage (vulnerable to XSS)
Not validating the signature
Using weak algorithms like none or HS256 in distributed systems
Not checking token expiration
Accepting tokens from untrusted issuers
Not validating all required claims
Using JWT for long-term sessions without refresh tokens
Transmitting JWT over plain HTTP

Related Tools

JWT Decoder

Decode and verify JWT tokens.

FAQ

What is JWT used for?

JWT is primarily used for authentication and information exchange in web applications.

Is JWT secure?

JWT can be secure if properly implemented. Always use HTTPS and validate all claims.

Can JWT be decrypted?

JWT is signed, not encrypted. The payload is base64-encoded, not encrypted.

What is the difference between JWT and OAuth?

JWT is a token format, while OAuth is an authorization framework.

How long should JWT tokens live?

Access tokens should be short-lived (15-60 minutes), while refresh tokens can be longer-lived.

Can I revoke a JWT token?

JWT is stateless, so revocation requires additional mechanisms like blacklists or short expiration times.

What is the best way to store JWT?

Store JWT in HttpOnly, Secure cookies for web applications.

What algorithm should I use?

Use RS256 or ES256 for distributed systems. Use HS256 only for single-server applications.

Learn JWT