How to Sign and Validate JSON Web Tokens (JWT) using jwt.io?

Sign JWT using jwt.io Tool

JSON Web Tokens (JWTs) are now the de facto means to log in securely and share data between people. They are lightweight, URL-safe, and may be signed or encrypted. A great way to play with JWTs is at jwt.io, a useful site that helps you create, sign, and validate JWTs.

This article demonstrates how to generate, sign, and verify JWTs using jwt.io. It also provides command-line utilities such as OpenSSL and third-party utilities such as DigiCert Software Trust Manager.

What is JWT Structure?

A JWT has three base64URL-encoded components:

JWT = Base64Url(Header) + ‘.’ + Base64Url(Payload) + ‘.’ + Base64Url(Signature)

  • Header: Contains information related to the token, such as the algorithm utilized (e.g., RS256).
  • Payload: Carries the claims (user data) like sub, name, admin, etc.
  • Signature: Verifies the token wasn’t altered and confirms its authenticity.

Sample Header:

{
            "alg": "RS256",
            "typ": "JWT"
}

Sample Payload:

{
            "sub": "1234567890",
            "name": "John Doe",
            "admin": true,
            "iat": 1516239022
}

Recommended: What is JSON Web Token (JWT)? Structure, Features, Authentication & Best Practices

Create Header and Payload on jwt.io

  • Visit https://jwt.io.
  • In the Encoded field, put in your JWT format.
  • In the Decoded section:
    – Place the header in the left box.
    – Place the payload (claims) in the appropriate box.
  • Choose the algorithm (e.g., RS256) and other fields you wish to sign.

Base64URL Encode the Header and Payload

JWT expects base64URL-encoded data (not raw Base64). The main differences:

Base64URL replaces + with –, / with _, and strips the padding =.

This makes the token safe for URL transmission.

Data TypeOutput
Header (Base64URL)eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
Payload (Base64URL)eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0

Generate Signature using SHA256 and RSA (RS256)

You now have: Y = Base64Url(Header) + ‘.’ + Base64Url(Payload)

Step 1. Generate a Hash of Y

Hash the concatenated string using OpenSSL or CertUtil.

OpenSSL:

openssl dgst -sha256 "path_to_Y"

CertUtil:

certutil -hashfile "path_to_Y" SHA256

This returns a SHA256 hash as hex.

Step 2: Hex to Base64

Visit https://www.base64.guru/converter/encode/hex to encode the hash in Base64.

Sign the Hash with a Private Key (optional via API)

You may sign the Base64 hash with:

  • Use the REST API with Postman (if your key manager or CA supports it).
  • DigiCert Software Trust Manager requires a key pair and access.

This generates a Base64-encoded signature. Sample Signed Hash (Base64):

gEH7jLqeT4zBSDeQsFJihB8n/cshG8A53fiGQ3TbX1M=

Convert the Signature to Base64URL

As JWT requires Base64URL, replace the signature with https://base64url.com.

Computed JWT Signature (Base64URL):

gEH7jLqeT4zBSDeQsFJihB8n_cshG8A53fiGQ3TbX1M

Construct the JWT Token

Now Combine all Three Pieces:

JWT = Base64Url(Header) + ‘.’ + Base64Url(Payload) + ‘.’ + Base64Url(Signature)

Last Token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.gEH7jLqeT4zBSDeQsFJihB8n_cshG8A53fiGQ3TbX1M

Verify the JWT Signature.

To ensure that the JWT is not tampered with:

  • Access jwt.io.
  • Paste the entire JWT token into the Encoded field.
  • In the Verify Signature field, enter the public key that corresponds to the private key used for signing.
  • If the signature is valid, you’ll receive a success message.

Best Practices for JWT Security

  • Use trusted signing mechanisms (use RS256 instead of HS256).
  • Specify token expiration (exp) and not-before (nbf) claims.
  • Never store sensitive information in the payload since it is encoded, not encrypted.
  • Always verify tokens on the server side via the public key.
  • Alternate keys and store them securely.

Conclusion

 If you require signing certificates to sign APIs, secure information, or provide digital authenticity, SignMyCode provides reliable signing certificates for code and convenient support with JWT signing and verification.

Code Signing Tutorials

Cheap Code Signing Certificates

Prevent Code Tampering and Authenticate Code Integrity by Digitally Sign your Code with Trusted Code Signing Certificates.

Starting at Just $215.99/Year

Related posts:

  1. How to Create and Validate Digital Signatures using Google Cloud Key Management Service?
  2. How to Digitally Sign an MSI Package, MSI File, or Installer?
  3. What is Unknown Publisher Warning? Why Should You Care?
  4. What Is a Cryptographic Checksum? How to Verify the Checksum of a Downloaded File?
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.