Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims), and the Signature. The signature is generated by the server using a secret key, and can be verified by any party who knows that key.
What are JWT claims?
Claims are statements about an entity (typically the user) and additional metadata. Standard registered claims include: sub (subject — who the token is about), iss (issuer — who created the token), aud (audience — who the token is intended for), exp (expiration time), and iat (issued at). Custom claims can hold any application-specific data, such as roles or permissions.
HS256 vs HS384 vs HS512 — what is the difference?
All three are HMAC-based symmetric signing algorithms. The number indicates the SHA variant used: SHA-256, SHA-384, or SHA-512. HS256 produces a 256-bit (32-byte) signature, HS384 a 384-bit signature, and HS512 a 512-bit signature. For most applications, HS256 provides sufficient security. Use HS384 or HS512 if you need a longer signature or are working in a high-security environment.
Is it safe to generate JWTs in a browser?
This tool is intended for testing and development only. Never use real production secrets in a browser-based tool. For production use, JWTs should be generated server-side where the secret key can be kept private. The signatures generated here use the Web Crypto API's HMAC implementation, which is cryptographically correct.