JWT Signer and Verifier Guide
Sign, verify, and inspect JSON Web Tokens — HS256, RS256, and ES256 algorithms with payload inspection.
Published:
Tags: JWT signer verifier, sign JWT online, JSON Web Token tools
JWT Signer and Verifier Guide A JWT (JSON Web Token) is a compact, URL-safe token format for transmitting claims between parties. Signing a JWT binds its payload to a secret or key pair so that any tampering is detectable by the verifier. --- What is jwt structure? A JWT is three Base64URL-encoded segments joined by periods: Header — Algorithm and token type: Payload — Claims about the subject: Signature — Computed over header + "." + payload: The payload is only Base64URL-encoded — it is not encrypted. Anyone holding the token can read the claims. Never store passwords, PII, or secrets in the payload unless you use JWE (JSON Web Encryption, RFC 7516). What is standard jwt claims? RFC 7519 defines these registered claim names: | Claim | Name | Typical value |…
Frequently Asked Questions
How do I sign a JWT?
Encode the header and payload as Base64URL strings, concatenate them with a period, then compute an HMAC-SHA256 signature over the result using your secret key. The final token is header.payload.signature — all three segments are Base64URL-encoded.
What is HS256 in JWT?
HS256 (HMAC with SHA-256) is a symmetric JWT signing algorithm: the same secret is used to both sign and verify the token. It is simple and fast, but requires every service that verifies tokens to share the same secret, which can complicate key distribution in large systems.
How do I verify a JWT signature?
Re-compute the expected signature from the header and payload using the same algorithm and key, then compare it to the signature segment of the token using a constant-time comparison. If they match, the token is authentic and unmodified. Also check that the `exp` claim is in the future.
What is the JWT header, payload, and signature?
The header is a JSON object that declares the signing algorithm and token type. The payload is a JSON object containing claims such as subject, issuer, expiry, and any custom data. The signature is a cryptographic value over header and payload that lets the verifier detect any tampering.
What algorithm should I use for JWT signing?
Use RS256 or ES256 for production systems where multiple independent services need to verify tokens — they use asymmetric keys so verifiers never need access to the signing key. Use HS256 only for single-service scenarios where you control all verification points. Never use the `none` algorithm.
All articles · theproductguy.in