🔐
Estúdio de Tokens
Privacy FirstInspecione e gere JWT/JWK/JWKS.
Header
Payload
Signature
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and type), the Payload (claims), and the Signature. The signature ensures the token has not been tampered with. JWTs are commonly used for authentication and information exchange in web APIs. Standard claims include sub (subject), iss (issuer), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID).
JWT Algorithms
HS256/384/512 uses HMAC with SHA-2 and a shared secret — simple but both parties must hold the same key. RS256/384/512 uses RSA PKCS#1 v1.5 asymmetric signatures — ideal for microservice architectures where services only need the public key. ES256/384/512 uses ECDSA with NIST curves for smaller signatures than RSA with equivalent security. PS256/384/512 uses RSA-PSS, a probabilistic variant preferred over RS* in modern systems.
JWK and JWKS
A JSON Web Key (JWK) is a JSON structure representing a cryptographic key. A JWK Set (JWKS) is a JSON structure containing an array of JWKs under the keys property. Services publish their JWKS at a well-known URL (e.g., /.well-known/jwks.json), allowing clients to fetch public keys for JWT verification without out-of-band key exchange. Keys in a JWKS are identified by their kid (Key ID), which JWT headers reference.
Security Best Practices
Always validate exp, nbf, iss, and aud claims server-side. Never use the alg: none algorithm in production — it removes all signature protection. Prefer asymmetric algorithms (RS*, ES*, PS*) over HMAC when multiple services need to verify tokens. Rotate keys regularly and use kid to identify which key was used to sign each token. Store private keys securely — never commit them to version control. Use short expiration times and refresh tokens rather than long-lived JWTs.