Skip to main content
CheckTown
Dev Tools

JWT Encoder: Create and Sign JSON Web Tokens for Authentication

Published 7 min read
In this article

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. A JWT consists of three Base64URL-encoded parts separated by dots: header.payload.signature. The header specifies the signing algorithm, the payload contains the claims (data), and the signature verifies the token has not been tampered with.

JWTs enable stateless authentication — the server does not need to store session data because all necessary information is embedded in the token itself. This makes JWTs ideal for distributed systems, microservices, and APIs where session storage would add complexity and latency.

JWT Structure Explained

Every JWT is composed of three distinct parts, each serving a specific purpose in the token's lifecycle:

  • Header — a JSON object specifying the token type (typ: JWT) and the signing algorithm (alg: HS256, RS256, etc.), then Base64URL-encoded
  • Payload — a JSON object containing claims such as iss (issuer), sub (subject), exp (expiration time), iat (issued at), and any custom data you need to transmit
  • Signature — created by signing the encoded header and payload with a secret key (HMAC) or private key (RSA/ECDSA), ensuring the token's integrity

The payload is not encrypted — anyone can decode and read it. Never store sensitive information like passwords or credit card numbers in a JWT payload. The signature only guarantees the data has not been modified, not that it is hidden.

Signing Algorithms

The choice of signing algorithm determines how the JWT signature is created and verified. There are three main families of algorithms:

  • HMAC (HS256, HS384, HS512) — symmetric algorithms that use the same secret key for both signing and verification. Simple to implement, best for single-server setups where both the issuer and verifier share the same secret
  • RSA (RS256, RS384, RS512) — asymmetric algorithms using a private key to sign and a public key to verify. Ideal for distributed systems where multiple services need to verify tokens without having access to the signing key
  • ECDSA (ES256, ES384, ES512) — asymmetric algorithms using elliptic curve cryptography. Provide the same security as RSA with significantly smaller key sizes and faster computation, making them well-suited for mobile and IoT applications

For most web applications, HS256 is sufficient when both the token issuer and consumer are the same server. Choose RS256 or ES256 when tokens need to be verified by third parties or across different services.

Try it free — no signup required

Create and Sign JWTs →

Encoding vs Decoding

Encoding a JWT means creating a new token by assembling the header, payload, and generating the signature with your secret or private key. This is typically done on the server side during login or token refresh. The resulting token string is sent to the client for subsequent authenticated requests.

Decoding a JWT can mean two things: extracting the payload claims without verifying the signature (useful for reading token metadata on the client), or fully verifying the signature to confirm the token is authentic and untampered. Production systems should always verify the signature before trusting any claims in the payload.

Common Use Cases

JWTs have become the standard for modern authentication and authorization patterns across web and mobile applications:

  • API authentication — clients include the JWT in the Authorization header (Bearer token) with each request, allowing the server to verify identity without database lookups
  • OAuth 2.0 access tokens — OAuth providers issue JWTs as access tokens that carry scope and permission information for authorized API access
  • Microservice communication — services pass JWTs between each other to propagate user identity and permissions across service boundaries without centralized session storage
  • Single Sign-On (SSO) — a central identity provider issues a JWT that multiple applications accept, enabling users to authenticate once and access all connected services

Security Best Practices

JWTs are powerful but require careful implementation to avoid common security pitfalls:

  • Set short expiration times — use exp claims of 15 minutes to 1 hour for access tokens, and implement refresh token rotation for longer sessions
  • Never store sensitive data in the payload — JWT payloads are only Base64URL-encoded, not encrypted. Anyone with the token can read the claims
  • Always validate all claims — verify exp, iss, aud, and any custom claims on every request. Do not trust the payload without full signature verification
  • Use HTTPS exclusively — transmit JWTs only over encrypted connections to prevent token interception via man-in-the-middle attacks
  • Reject the "none" algorithm — always validate that the alg header matches your expected algorithm. The "none" algorithm bypasses signature verification entirely

Frequently Asked Questions

What is the difference between JWT and session cookies?

Session cookies store a session ID on the client while the actual session data lives on the server. JWTs are self-contained — all the data is in the token itself. This makes JWTs stateless and easier to scale horizontally, but harder to revoke since you cannot simply delete a server-side session. Session cookies are simpler for traditional web apps; JWTs are better for APIs and distributed systems.

How do I revoke a JWT before it expires?

Since JWTs are stateless, there is no built-in revocation mechanism. Common strategies include: maintaining a token blocklist (checking against it on each request), using short-lived access tokens with refresh token rotation (revoking the refresh token invalidates future access), or storing a token version in the user record and incrementing it on logout.

Is there a size limit for JWTs?

There is no formal size limit in the JWT specification, but practical limits exist. Most HTTP servers limit header sizes to 8 KB. Since JWTs are typically sent in the Authorization header, keeping tokens under 4 KB is recommended. Large payloads with many claims can exceed this — consider storing only essential claims in the JWT and fetching additional data from an API.

Related Tools

JWT Decoder: Inspect and Debug JSON Web Tokens OnlineJWTs power modern authentication. Learn how to decode, inspect, and debug tokens without any tools.Read article → Base64 Encoding & Decoding: A Developer's Complete GuideBase64 is everywhere in web development. Learn how it works, when to use it, and common pitfalls.Read article → HMAC: How Hash-Based Message Authentication WorksUnderstand HMAC signatures, key management, and how to verify message integrity with SHA-256, SHA-384, and SHA-512.Read article →
Back to Blog