JWT Viewer
View JWT online and verify it with a secret.
Token
Headers
Payload
Understanding JWTs
The "What," "Why," and the critical "How" of secure tokens.
❓ What is a JWT?
A JSON Web Token is a compact, URL-safe way to represent "claims" between two parties. It allows a server to identify a user without needing to look up a session in a database every time.
Why we use them:
- Stateless: No server-side session storage needed.
- Scalable: Great for microservices and distributed systems.
- Cross-Domain: Easily shared across different APIs.
⚠️ The Big Secret
Standard JWTs are not encrypted. They are only Base64Url encoded. This means anyone who intercepts the token can read your data.
The Golden Rule:
Never store sensitive data like passwords, PII, or credit card info in a standard JWT. It's like writing your secrets on a postcard.
🛡️ Signing vs. Encryption
| Type | Analogy | Security Goal |
|---|---|---|
| JWS (Signed) | A postcard with a wax seal. Anyone can read it, but no one can change it. | Integrity: Proves the data wasn't tampered with. |
| JWE (Encrypted) | A message in a locked safe. Only the key holder can see what's inside. | Confidentiality: Hides data from everyone else. |
Why is a standard JWT "Secure"?
Even if the data is readable, the Signature ensures the server can trust the token. If an attacker changes the `user_id` from 10 to 1, the signature calculation will fail, and the server will reject the request instantly.
Combine JWTs with HTTPS to ensure the token cannot be intercepted in transit.