JWT Claims Inspector

Understanding JWT (JSON Web Tokens)

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. They are commonly used for authentication and information exchange.

JWT Structure

A JWT consists of three parts separated by dots (.):

Header

The header typically consists of two parts: the token type (JWT) and the signing algorithm (e.g., HMAC SHA256 or RSA).

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The payload contains the claims - statements about an entity (typically the user) and additional data.

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Signature

The signature is used to verify the token hasn't been tampered with and, if signed with a private key, verify the sender.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

Standard Claims

Claim	Name	Description
iss	Issuer	Who issued the token
sub	Subject	Who the token is about (usually user ID)
aud	Audience	Who the token is intended for
exp	Expiration	When the token expires (Unix timestamp)
nbf	Not Before	Token not valid before this time
iat	Issued At	When the token was issued
jti	JWT ID	Unique identifier for the token

Signing Algorithms

HMAC (Symmetric)

• HS256: HMAC with SHA-256 (most common)
• HS384: HMAC with SHA-384
• HS512: HMAC with SHA-512

Uses a shared secret key. Same key for signing and verification.

RSA (Asymmetric)

• RS256: RSA with SHA-256 (recommended)
• RS384: RSA with SHA-384
• RS512: RSA with SHA-512

Uses public/private key pairs. Private key for signing, public key for verification.

ECDSA (Asymmetric)

• ES256: ECDSA with SHA-256
• ES384: ECDSA with SHA-384
• ES512: ECDSA with SHA-512

Elliptic curve signatures. Smaller keys than RSA with equivalent security.

JWT Best Practices

Security

• Use strong secrets: At least 256 bits for HMAC
• Set expiration times: Short-lived tokens (15-30 minutes)
• Validate all claims: Check iss, aud, exp, nbf
• Use HTTPS: Always transmit over secure connections
• Don't store sensitive data: JWTs are not encrypted, only encoded
• Implement token refresh: Use refresh tokens for new access tokens

Storage

• HttpOnly cookies: Prevents XSS attacks (recommended)
• Memory only: Don't persist in localStorage
• Secure flag: Only send over HTTPS
• SameSite: Prevents CSRF attacks

Common Vulnerabilities

When to Use JWT

Good Use Cases

• Stateless authentication in APIs
• Single Sign-On (SSO)
• Microservices authorization
• Information exchange between services

When Not to Use

• Storing large amounts of data (keep payload small)
• Highly sensitive data (JWT is encoded, not encrypted)
• Session management requiring instant invalidation
• When you need to revoke tokens immediately

Implementation Example

Python (PyJWT)

import jwt
from datetime import datetime, timedelta

# Create token
payload = {
    'sub': 'user123',
    'name': 'John Doe',
    'iat': datetime.utcnow(),
    'exp': datetime.utcnow() + timedelta(minutes=30)
}
token = jwt.encode(payload, 'your-secret-key', algorithm='HS256')

# Verify token
try:
    decoded = jwt.decode(token, 'your-secret-key', algorithms=['HS256'])
    print(decoded)
except jwt.ExpiredSignatureError:
    print('Token expired')
except jwt.InvalidTokenError:
    print('Invalid token')

Node.js (jsonwebtoken)

const jwt = require('jsonwebtoken');

// Create token
const payload = { sub: 'user123', name: 'John Doe' };
const token = jwt.sign(payload, 'your-secret-key', { expiresIn: '30m' });

// Verify token
try {
    const decoded = jwt.verify(token, 'your-secret-key');
    console.log(decoded);
} catch (err) {
    console.log('Invalid token');
}