Demystifying Jwt.io Token Generator

If you’re like me, at some point in your education/career you might have used jwt.io to create a JWT token. You might have also wondered how this generator work underneath the hood. Let’s take a moment and demystify how it works.

TLDR

Jwt.io will encrypt your payload using your private key and will use your public key to verify the encoding.

Long version

For the purpose of this example, let’s assume we have a payload and we’re trying to sign it using the RS256 algorithm.

Here is our payload:

Now, let’s use the pyJwt to create a digital signature of this payload with RS256 algorithm.

Step 1.

Import the library and read your private key as a string:

Step 2.

Define our payload:

Step 3.

Sign the payload:

There a couple things to note here. You do not need to specify the headers to the API as it already knows what the header looks like for RS256. And the output will look something like:

Now let’s verify we’d getting the same signature from JWT.io. Let’s see…

Look at that. They both match. Now that’s an encoded string that can be safely transferred and only someone with a public key can decode that message.

Now you might ask: why does JWT.io generator asks for both private and public key? As you might have guessed, the tool will decode the encoded payload and ensure the original payload is obtained. That’s equivalent to running:

That’s it. I hope this helps someone understand how jwt.io token generator works under the hood.

A tech enthusiast who presides in a jungle.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store