JWT Encoder / Decoder | HS256

Encoded JWT | Generated

Validation: Unknown

Decoded JWT | Source ⬅

JWT Encoder / Decoder

This tool helps to encode and decode JWT (JSON Web Tokens).

JWT Components

A JWT (JSON Web Token) is a compact and secure way to represent claims between two parties, typically for authentication. It consists of three components:

Component	Description
Header	Contains metadata about the token, including the signing algorithm (alg) and token type (typ).
Payload	Contains the claims (statements about an entity), such as user data or roles. It can include registered claims (like exp, iss, sub), or custom claims.
Signature	Ensures the token's integrity and authenticity. It's created by signing the header and payload with a secret key (or private key for RSA).

Encoding / Decoding

Algorithm	Description
Encoding	Encode the Header: The header (which includes the algorithm and token type) is serialized to a JSON string. It is then Base64Url encoded, which turns the string into a compact, URL-safe format. Encode the Payload: The payload (which contains claims) is serialized into a JSON string. This string is also Base64Url encoded, creating the second part of the JWT. Create the Signature: The encoded header and payload are combined, separated by a period (.). The signature is generated by applying the specified signing algorithm (e.g., HMAC SHA-256 or RSA) to the combined string, using a secret key (or private key for RSA). The resulting signature is Base64Url encoded. Finally, the JWT is formed by concatenating the three parts with periods (.): [Base64Url(header)] . [Base64Url(payload)] . [Base64Url(signature)]
Decoding	Split the JWT: The JWT is split into three parts by periods (.); [Header] . [Payload] . [Signature] Decode the Header and Payload: The first two parts (header and payload) are Base64Url decoded to retrieve the original JSON strings. This provides the header (metadata) and the payload (claims/data). Verify the Signature: To ensure the JWT hasn't been tampered with, the signature is verified: The decoded header and payload are re-encoded (Base64Url). The verification algorithm (e.g., HMAC SHA-256 or RSA) is used with the secret key (or public key for RSA) to check if the signature matches the expected one. If the signature is valid, the JWT is authentic and untampered. If invalid, the JWT should be rejected. This process allows to extract and validate the information contained in the JWT.

Supported Algorithms

Symmetric Key Algorithms (both signing and verification use the same key)

Name	# Hash	Description
HS256	SHA-256	The HS256 (HMAC with SHA-256) is a symmetric-key signing algorithm used in JWTs. It combines the HMAC (Hash-based Message Authentication Code) mechanism with the SHA-256 cryptographic hash function to ensure data integrity and authenticity.
HS384	SHA-384	The HS384 (HMAC with SHA-384) is a symmetric key signing algorithm used in JWTs, similar to HS256, but with a stronger hash function (SHA-384) for enhanced security.
HS512	SHA-512	The HS512 (HMAC with SHA-512) is a symmetric key signing algorithm for JWTs that uses the SHA-512 hash function, offering an even higher level of security than HS256 and HS384.

Asymmetric Key Algorithms (the signing and verification processes use different keys - private key is used for signing and public Key is used for verifying the JWT's authenticity)

Name	# Hash	Description
RS256	SHA-256	The RS256 (RSA Signature with SHA-256) is an asymmetric signing algorithm used in JWTs. It uses the RSA algorithm for signing and the SHA-256 hash function for creating the signature.
RS384	SHA-384	The RS384 (RSA Signature with SHA-384) is an asymmetric signing algorithm used in JWTs, similar to RS256, but with a stronger hash function (SHA-384 instead of SHA-256) for added security.
RS512	SHA-512	The RS512 (RSA Signature with SHA-512) is an asymmetric signing algorithm for JWTs that uses the RSA algorithm combined with the SHA-512 hash function for creating the signature.
ES256	SHA-256	The ES256 (ECDSA with SHA-256) is an asymmetric signing algorithm for JWTs that uses Elliptic Curve Digital Signature Algorithm (ECDSA) with the SHA-256 hash function.
ES384	SHA-384	The ES384 (ECDSA with SHA-384) is an asymmetric signing algorithm used in JWTs that employs Elliptic Curve Digital Signature Algorithm (ECDSA) with the SHA-384 hash function for signing.
ES512	SHA-512	The ES512 (ECDSA with SHA-512) is an asymmetric signing algorithm for JWTs that uses the Elliptic Curve Digital Signature Algorithm (ECDSA) with the SHA-512 hash function.
PS256	SHA-256	The PS256 (RSASSA-PSS with SHA-256) is an asymmetric signing algorithm for JWTs that uses RSASSA-PSS (RSA Signature Scheme with Appendix - Probabilistic Signature Scheme) combined with the SHA-256 hash function. It provides enhanced security compared to traditional RSA signatures (like RS256) by using a probabilistic approach to signing.
PS384	SHA-384	The PS384 (RSASSA-PSS with SHA-384) is an asymmetric signing algorithm used in JWTs that employs the RSASSA-PSS (RSA Signature Scheme with Appendix - Probabilistic Signature Scheme) combined with the SHA-384 hash function.
PS512	SHA-512	The PS512 (RSASSA-PSS with SHA-512) is an asymmetric signing algorithm used in JWTs that combines RSASSA-PSS (RSA Signature Scheme with Appendix - Probabilistic Signature Scheme) with the SHA-512 hash function.