JWT Encoder/Decoder

A JWT (JSON Web Token) is a compact, URL-safe way of securely transmitting information between two parties – often between a client (like your browser) and a server.

It looks like this:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

🧱 Structure of a JWT

A JWT has three parts, separated by dots (.):

• Header: Contains metadata like the algorithm used to sign the token.
  Example:{"alg": "HS256", "typ": "JWT"}
• Payload: Contains the actual data (called “claims”), like user ID, role, etc.
  Example:{"sub": "1234567890", "name": "John Doe", "admin": true}
• Signature: Created by signing the header and payload with a secret. This ensures data hasn't been changed.

🧪 How It Works?

1. User logs in with email/password.
2. Server validates credentials and creates a JWT.
3. JWT is sent to the client and stored (in localStorage/cookie).
4. Client sends this JWT with future requests.
5. Server verifies the JWT’s signature to confirm it’s valid and untampered.

🔐 Common Use Cases

• User authentication and session management
• Access control for APIs
• Single Sign-On (SSO) across services

⚠️ Security Considerations

• Never store sensitive data (e.g., passwords) in the JWT payload.
• Always verify the JWT’s signature server-side before trusting its data.
• Use HTTPS to prevent token theft via man-in-the-middle attacks.
• Set reasonable token expiration (exp claim) and refresh them when needed.

📘 Bonus: Standard JWT Claims

• iss – Issuer (e.g., your app’s domain)
• sub – Subject (usually user ID)
• exp – Expiration time
• iat – Issued at time
• aud – Audience (intended recipients)

📊 Visual Diagram Code