HS256

What is Online JWT Encoder/Decoder?

JWT Encoder/Decoder is a free online tool for encoding and decoding JWT (JSON Web Token). JWT is a standard for transferring JSON data securely by signing it with a key. You can use this tool as an online JWT debugger, so you can sign a JWT with a signing key or private key, verify a JWT with a signing key or public key, or just decode a JWT without verifying the signature.

There are 9 algorithms available which are HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384 and ES512. HSxxx algorithms works with a single signing key as a string while RSxxx and ESxxx algorithms works with a public & private key pair. Private key is using in encoding while public key is used for decoding JWT. If there is one key that is used both for encoding and decoding JWT, it is called symmetric algorithm, if there is a public/private key pair, then it is called asymmetric algorithm.

There are 3 parts of a JWT which are separated with dots. They are header, payload, and signature. Therefore, all JWT have a structure of "aaaaa.bbbbb.cccc". They are all in base64 format. Header and payload of the JWT can be seen by everyone after decoding. Signature is very important for securely transferring this data. When you send data from server to client and get it back, you verify your data with this signature.

There are some predefined claims such as "iss" (issuer), "exp" (expiration time), "sub" (subject), "aud" (audience) that is stored in the payload of a JWT. Even if they are not mandatory, it is advised to use them for defining the data and data validity better. Meta data of the token is stored in the header section like what is the algorithm etc.

For JWT decoding, you can either verify the signing key or not. Even if the signature is invalid, you will still see the payload and header of the JSON web token.

If you are using HSxxx (symmetric) algorithms, for security reasons, it is advised to have 256 bit (32 characters), 384 bit (48 characters), 512 bit (64 characters) and longer signing keys for HS256, HS384 & HS512 respectively. Otherwise, your signing key may be cracked with brute force. Reference: Importance of using strong keys with JWT

JWT Structure Before Decoding
JWT Structure Before Decoding

How to use Online JWT Encoder/Decoder?

You can encode, decode, or debug a JWT by using these steps.

  1. If you want to generate a JWT, fill input field with the payload. If you want to decode a JWT, fill input field with the JWT that you want to decode.
  2. Make your configuration for encoding/decoding and fill signing keys if needed.
  3. When all configuration is completed, click the button "Encode" or "Decode" according to your needs. If all required fields are filled and there is no problem about parsing the input, you will get your result from the output field.

Security Note

Information regarding any JWT that is generated or decoded in this tool including signing keys, public and private key pairs are used only in your browser. This data is not transferred to any server. However, for security purposes, it is advised to protect your signing keys and public/private key pairs from any 3rd party tool including 10015.io (even if it is a client-side tool) if this information is crucial for you application. This tool is designed as a JWT debugger to demonstrate how JWT works.