JSON Web Tokens (JWT)

JWTs are a standard method for securely representing claims between two parties. They are widely used for authentication in modern web applications (Stateless Auth).

Token Inspector

Signature Verified

The token has not been tampered with.

Algorithm

HS256

Encoded Token

ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIgp9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAiSm9obiBEb2UiLAogICJyb2xlIjogInVzZXIiCn0.0000000045b187f3

Verify Signature With Secret:

Server expects: secret-key-123

Decoded Payload

Header

Payload (Data)

Try this: Change "role": "user" to "admin". Note how the signature (Cyan part) changes instantly. An attacker cannot fake this signature without the secret key!

Interactive: Edit the payload on the right. Notice how the Signature (Cyan) changes. If you don't have the correct secret key, the signature won't match, and the token is invalid.

Structure of a JWT

HeaderContains metadata about the token, such as the signing algorithm (e.g., HS256).
PayloadThe actual data (Claims). User ID, Role, Expiration time. Warning: This is only encoded, not encrypted! Anyone can read it.
SignatureThe security part. Created by hashing the Header + Payload + Secret Key. Verifies that the token hasn't been changed.

Common Vulnerabilities

None AlgorithmAttackers change the header `alg` to `none` and remove the signature. If the server isn't patched, it might accept it!

Secret Brute ForceIf your secret key is weak (e.g., "secret123"), attackers can guess it offline and forge their own admin tokens.

Sensitive Data ExposureNever put passwords or private info in the Payload. It's readable by anyone who intercepts the token.