Question 1

What is a JWT and what does it contain?

Accepted Answer

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and authorization. It consists of three Base64url-encoded parts separated by dots: Header . Payload . Signature. The Header specifies the token type (typ: JWT) and signing algorithm (alg: HS256, RS256, etc.). The Payload contains claims — statements about the user and metadata: standard claims like sub (subject/user ID), iss (issuer), aud (audience), exp (expiry Unix timestamp), iat (issued-at time), and any custom claims. The Signature is a cryptographic hash of the header and payload using a secret or private key, used to verify the token hasn't been tampered with. You can read the header and payload without the signing key; verifying the signature requires the key.

Question 2

Is it safe to paste my JWT into an online decoder?

Accepted Answer

This tool runs entirely in your browser (client-side JavaScript only) — your token is never sent to any server. However, as a general practice: treat production JWTs containing real user data as sensitive credentials. The JWT payload often contains user IDs, email addresses, roles, and expiry times. If the JWT carries access to production systems, only paste it into tools you fully trust (like this in-browser-only tool). Development and test tokens are generally safe to inspect in any decoder. Best practice: after debugging, invalidate any production token you've shared with an untrusted tool by logging out or revoking it through your auth system.

Question 3

What does the exp claim in a JWT mean?

Accepted Answer

The exp (expiration time) claim is a Unix timestamp (seconds since January 1, 1970 UTC) specifying when the token expires and must no longer be accepted. For example, exp: 1735689600 means the token expires at midnight January 1, 2025 UTC. When a server receives a JWT, it compares the current time against exp and rejects tokens where exp is in the past. Common JWT lifetimes: short-lived access tokens (15m to 1h), longer-lived refresh tokens (1 day to 30 days). The iat (issued at) claim records when the token was created, and nbf (not before) specifies when the token first becomes valid.

Question 4

What is the difference between HS256 and RS256 JWT algorithms?

Accepted Answer

HS256 (HMAC-SHA256) is a symmetric algorithm — the same secret key is used to both sign and verify the token. Simple to implement but the secret must be shared between all services that issue or verify the token. Suitable for single-server applications. RS256 (RSA-SHA256) is an asymmetric algorithm — a private key signs the token and a corresponding public key verifies it. The private key never leaves the auth server; any service with the public key can verify tokens without being able to create new ones. Preferred for microservices, multi-tenant systems, and when tokens need to be verifiable by third parties. Other common algorithms: ES256 (ECDSA, faster than RSA), PS256 (RSA-PSS), and 'none' (unsigned, dangerous — never use in production).

JWT Decoder

Understanding JWT Tokens

Key JWT Claims

Security Note