Skip to main content

Sign JSON Web Tokens (JWT) with jwt.io

This article covers how to sign a JSON Web Token (JWT) using jwt.io. Alternatively, you can sign JWT using Java code.

Create header and payload

What is the header?

The cryptographic operations in the header define whether the JWT is signed or encrypted and what algorithm techniques to use.

Header sample: 

{ "alg": "RS256", "typ": "JWT" }

What is the payload?

The payload generally contains user information. No claims are mandatory in a payload, but you can include as many claims as you want.

Payload sample

{ "sub": "1234567890", "name": "John Doe", "admin": true, "iat": 1516239022 }

To create the Base64URLEncode Header and Payload:

  1. Access JWT.io debugger.

  2. Input the algorithm and token type into the Header section. You can also add additional claims.

  3. Enter the user information into the Payload section:

Examples

Base64URLEncode header output sample: 

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9

Base64URLEncode payload output sample:

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0

Anmerkung

The JWT.io debugger UI generates the Base64URLEncode token formatted as Header.Payload

Create header and payload hash

Use the Base64URLEncode header and payload you have just created to create the hash in OpenSSL or CertUtil.

For this example, we will Hash (Y) with - SHA256 (RS256) (SHA256WithRSA) in OpenSSL or CertUtil.

Header and payload hash format:

(Y) = Header.Payload Create Base64 Hash of (Y). Base64URLEncode(RSASHA256(Y))

OpenSSL example

Openssl dgst -sha256 “C:\path_to_file”

CertUtil example

Certutil -hashfile “C:\path_to_file” SHA256

Anmerkung

The hash is in hex format. Before you can sign the hash with DigiCert​​®​​ Software Trust Manager , you need to convert the hash from hex format to Base64.

Use Base64.Guru Base64.Guru to convert hex to Base64:

Sha256 hash output sample

8041fb8cba9e4f8cc1483790b05262841f27fdcb211bc039ddf8864374db5f53

Base64 output sample

gEH7jLqeT4zBSDeQsFJihB8n/cshG8A53fiGQ3TbX1M=

Sign Header and Payload hash using REST API

The example below demonstrates signing the Base64 hash using REST API via Postman client.

A detailed list of features and parameters for this API can be found here.

Base64 signed hash sample: AxE9qm4aTZiXvA2G8sblAxjeLhomy7lTQpcPCV6q/7asKyegL3305BcV/EUF950yOeJQqMBplzhP+pAKCiGS0oFLXjNZvUsifCpQCqJfRKFyxpnD8agtbB9UZLEhSEET3lKPSF1Y0Sqbcz1SkFafV0PZ9Hi3HepUtjXQ8zLUxMt+3cBnK9a5I4gc32fq9Pkgt+3Ysnw02SIzdiCyoQGiDDJA9CtJ3RNY1DnOEL6qB4PzwQSrHz8hyXdlotpHQ1Izgms8Sv62w3VKQJBRjnRLNVhszO4tg3YsvXpINEkL4KCKLOCDwLT1Y+Tj8LANn2fbU5XeuDGa43k1bwNXmDH78w==

Anmerkung

The signature above is in Base64 format. Convert the signature to Base64URL format to verify the signature in jwt.io debugger.

What is the main difference between Base64 vs Base64URL?

Base64 contains the characters +, /, and =, which have a reserved meaning in some filesystem names and URLs. Base64url solves this by replacing + with - and / with _. The trailing padding character = can be eliminated when it is not required.

Create JWT token

Insert your Base64 signed hash you have just created into base64url.com to convert the signature to Base64URL.

Base64URL signed hash sample:

AxE9qm4aTZiXvA2G8sblAxjeLhomy7lTQpcPCV6q_7asKyegL3305BcV_EUF950yOeJQqMBplzhP-pAKCiGS0oFLXjNZvUsifCpQCqJfRKFyxpnD8agtbB9UZLEhSEET3lKPSF1Y0Sqbcz1SkFafV0PZ9Hi3HepUtjXQ8zLUxMt-3cBnK9a5I4gc32fq9Pkgt-3Ysnw02SIzdiCyoQGiDDJA9CtJ3RNY1DnOEL6qB4PzwQSrHz8hyXdlotpHQ1Izgms8Sv62w3VKQJBRjnRLNVhszO4tg3YsvXpINEkL4KCKLOCDwLT1Y-Tj8LANn2fbU5XeuDGa43k1bwNXmDH78w

JWT token

We now have all three components in the correct format to complete the JWT token.

JWT format:

JSON Web Tokens consists of three parts separated by dots ( . )

Header.Payload.Signature

Y = Base64URLEncode(header) + ‘.’ + Base64URLEncode(payload) JWT token = Y + ‘.’ + Base64URLEncode(RSASHA256(Y))

JWT sample:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0. AxE9qm4aTZiXvA2G8sblAxjeLhomy7lTQpcPCV6q_7asKyegL3305BcV_EUF950yOeJQqMBplzhP-pAKCiGS0oFLXjNZvUsifCpQCqJfRKFyxpnD8agtbB9UZLEhSEET3lKPSF1Y0Sqbcz1SkFafV0PZ9Hi3HepUtjXQ8zLUxMt-3cBnK9a5I4gc32fq9Pkgt-3Ysnw02SIzdiCyoQGiDDJA9CtJ3RNY1DnOEL6qB4PzwQSrHz8hyXdlotpHQ1Izgms8Sv62w3VKQJBRjnRLNVhszO4tg3YsvXpINEkL4KCKLOCDwLT1Y-Tj8LANn2fbU5XeuDGa43k1bwNXmDH78w

Verify JWT

  1. Download the public key for the keypair you have used to sign the hash from DigiCert​​®​​ Software Trust Manager .

  2. Access jwt.io debugger.

  3. Paste your JWT token into the Encoded box.

  4. Paste the public key into the Verify Signature box. The signed JWT's signature will be verified if all steps have been completed correctly.