Friday, June 10, 2016 Decode, verify and generate JSON Web Tokens

I’m currently spending a lot of time in implementing security using oAuth and OpenID. One of the things I had to start using were JSON Web Tokens(JWT).

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature

A tool that helped me in debugging and testing these Web Tokens is JWT.IO. JWT.IO allows you to decode, verify and generate JWT.


You can take a token generated by your Security Token Service (like for example ADFS or IdentityServer) and paste it on the website. It will decode the token and show you the header and payload and allows you to verify the signature.


No comments: