Open in app

Sign in

Write

Sign in

Demystifying Jwt.io Token Generator

NP
2 min readNov 14, 2020

If you’re like me, at some point in your education/career you might have used jwt.io to create a JWT token. You might have also wondered how this generator work underneath the hood. Let’s take a moment and demystify how it works.

TLDR

Jwt.io will encrypt your payload using your private key and will use your public key to verify the encoding.

Long version

For the purpose of this example, let’s assume we have a payload and we’re trying to sign it using the RS256 algorithm.

Here is our payload:

{
   'iss':'xxxxx-xxxx-xxx-xxx',
   'sub':'xxxxx-xxxx-xxx-xxx',
   'iat':'1605233231',
   'exp':'1607710548',
   'aud':'some.cool.server.com',
   'scope':'random scope'
}

Now, let’s use the pyJwt to create a digital signature of this payload with RS256 algorithm.

Step 1.

Import the library and read your private key as a string:

>>> import jwt
>>> private_key = open(‘private.pub’, ‘r’).read()

Step 2.

Define our payload:

>>> payload = {'iss':'xxxxx-xxxx-xxx-xxx','sub':'xxxxx-xxxx-xxx-xxx','iat':'1605233231','exp':'1607710548','aud':'some.cool.server.com','scope':'random scope'}

Step 3.

Sign the payload:

>>> encoded = jwt.encode(payload, private_key, algorithm='RS256')

There a couple things to note here. You do not need to specify the headers to the API as it already knows what the header looks like for RS256. And the output will look something like:

>>> encodedb'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.ey***************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Vg'

Now let’s verify we’d getting the same signature from JWT.io. Let’s see…

Look at that. They both match. Now that’s an encoded string that can be safely transferred and only someone with a public key can decode that message.

Now you might ask: why does JWT.io generator asks for both private and public key? As you might have guessed, the tool will decode the encoded payload and ensure the original payload is obtained. That’s equivalent to running:

>>> public_key = open('public.pub', 'r').read()
>>> decoded = jwt.decode(encoded, public_key, algorithms='RS256')

That’s it. I hope this helps someone understand how jwt.io token generator works under the hood.

Jwt
Jwt Token
Jwt Auth

--

--

NP

Written by NP

3 Followers

A tech enthusiast who resides in a jungle.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams