JWT Generator/Decoder

A JSON Web Token is a compact, URL-safe means of representing claims to be transferred between two parties. The claims are encoded as a JSON object that is digitally signed using HMAC or RSA. JWTs are widely used for authentication and information exchange in APIs and single-page applications.

A JWT consists of three Base64url-encoded segments separated by dots: Header.Payload.Signature. The Header specifies the algorithm (e.g., HS256) and token type. The Payload contains the claims (iss, sub, exp, etc.). The Signature is computed from the header and payload using the secret key, and is used to verify the token has not been tampered with.

Session-based authentication stores session data server-side (in a database or memory) and gives the client a session ID cookie. JWT is stateless — the token itself carries the claims, so the server needs no session store. JWTs are easier to scale across multiple servers and services, but cannot be easily revoked once issued unless you maintain a blocklist.

JWTs are well suited for stateless API authentication, microservices communication, single sign-on (SSO), and mobile app authentication. They are less ideal when you need immediate token revocation (e.g., logout invalidation) without a revocation list, or when the payload is large and adds overhead to every request.

Key concerns include: (1) Weak secrets — always use a long, random key for HMAC. (2) The "alg: none" attack — never accept tokens with no algorithm. (3) Storing JWTs in localStorage exposes them to XSS; prefer httpOnly cookies. (4) Long expiration times mean a stolen token stays valid — keep exp short and use refresh tokens. (5) Never put sensitive data in the payload — it is only Base64-encoded, not encrypted.