Help center
JWT FAQ
Answers to the most common questions developers and security teams ask about JSON Web Tokens.
Is the JWT decoder secure?
Yes. The decoder runs entirely in your browser and never sends tokens to a server. Your secrets stay local.
Does JWTSecrets verify signatures?
The free decoder performs structural checks. JWTSecrets Enterprise validates signatures against your key management system.
Where should I store tokens in a browser?
Prefer HttpOnly cookies for session tokens. Avoid localStorage when possible to reduce XSS exposure.
How do I revoke a JWT?
Maintain a revocation list keyed by `jti` or user ID. Gateways or APIs should check the list and deny access when revoked.
What is the difference between HS256 and RS256?
HS256 uses a shared secret. RS256 uses public/private keys and is safer when multiple services validate tokens.
Need more help?
Explore our full tutorial or contact hello@jwtsecrets.com.