Anatomy of a JWT
A JWT is three Base64URL strings joined by dots: header.payload.signature.
| Part | Contains | Encrypted? |
|---|---|---|
| Header | Algorithm + token type | No — readable |
| Payload | Claims (the data) | No — readable |
| Signature | HMAC/asymmetric over header+payload | n/a (it’s the proof) |
The signature is what makes a JWT trustworthy: change a single character of the header or payload and the signature no longer validates. But — worth repeating because it’s the most common mistake — the payload is merely encoded, not hidden. Paste any JWT into a decoder and its claims are plainly visible.
Set the registered claims deliberately
JWTs define standard claims with specific meanings (RFC 7519). The time-based ones are the difference between a safe token and a liability:
exp(expiration) — always set it. A token with no expiry is valid forever, so a single leak is permanent. Short-lived access tokens (minutes to an hour) limit the blast radius.nbf(not before) — optional; rejects a token used before a start time.iat(issued at) — lets you reason about token age and revoke everything issued before a cutoff.iss/aud— bind the token to a specific issuer and intended audience so a token minted for one service can’t be replayed against another.
Where to store tokens matters as much as how you sign them
A correctly signed token is still dangerous if it’s stored carelessly. Putting JWTs in localStorage exposes them to any XSS on the page — a single injected script reads every token. An httpOnly cookie keeps the token out of JavaScript’s reach (mitigating XSS theft) at the cost of needing CSRF protection. The common production pattern is a short-lived access token plus a longer-lived refresh token, with the refresh token kept in an httpOnly, Secure, SameSite cookie. Signing is only half the security story; storage is the other half.
Build for testing, sign for real elsewhere
This builder signs with HMAC algorithms (HS256/384/512) using the Web Crypto API entirely in your browser — your secret never leaves the page — which makes it ideal for creating test tokens and learning the structure. But don’t generate production tokens with your real secret in any browser tool: issue those server-side with proper key management, rotation, and an algorithm allowlist. To inspect tokens you receive (and confirm exactly what claims they carry), pair this with the JWT Decoder.