Are JWT claims encrypted by default?

No. JWT payloads are only Base64URL-encoded, which is a plaintext conversion. Anyone can decode and read JWT contents; never put passwords or sensitive data inside payloads.

How do TOTP generators stay in sync?

TOTP client apps and server backends calculate codes using the same shared secret and coordinate their steps with the global Unix time clock, tolerating short offsets.

Authentication & Tokens Lab

Topical Authority Guide & Developer Workspace

Authentication validates a user's identity. Storing and transmitting these credentials requires secure protocols, including tokenized sessions, hashing algorithms, and time-based passwords.

Topic Overview

Modern web apps rely on stateless authentication systems to scale. JSON Web Tokens (JWT) allow servers to verify user claims securely without database queries on every HTTP request.

Securing credentials requires using slow hashing functions, multi-factor authentication (MFA), and secure session tokens.

The Anatomy of a JWT

A JSON Web Token consists of three base64url-encoded parts separated by periods: the Header (signing algorithm), the Payload (claims, issuer, expiration), and the Signature (security verification).

The signature guarantees that the token has not been tampered with in transit. Client applications must inspect JWT payloads to handle route access, but signature validation must happen on the server.

How Multi-Factor Authentication Works

Time-Based One-Time Passwords (TOTP) generate temporary verification codes from a shared secret. The algorithm uses the current Unix epoch time in 30-second steps to compute HMAC codes.

Because TOTP keys are generated locally, they prevent account compromise even if the primary password database is leaked.

Launch Interactive Developer Tools

Put these concepts into practice. Access, test, convert, or format your data locally in your browser memory:

JWT Inspector

Decode and inspect JWT payloads and headers safely in the browser.

Open Tool

Token Generator

Generate secure random tokens in browser-friendly formats.

Open Tool

OTP Code Generator

Create time-based one-time passcodes from a shared secret locally.

Open Tool

Bcrypt Hasher

Hash text with bcrypt cost factors using browser-side crypto libraries.

Open Tool

Comparative Guides & Technology Appraisals

Evaluate differences between specifications, formats, and cryptographic standards to pick the right architecture:

Bcrypt Vs Argon2 Comparison

Compare Bcrypt and Argon2 features, performance trade-offs, and best practices.

Read Guide

Jwt Vs Cookies Comparison

Compare Jwt and Cookies features, performance trade-offs, and best practices.

Read Guide

Oauth2 Vs Saml Comparison

Compare Oauth2 and Saml features, performance trade-offs, and best practices.

Read Guide

Frequently Asked Questions

Are JWT claims encrypted by default?: No. JWT payloads are only Base64URL-encoded, which is a plaintext conversion. Anyone can decode and read JWT contents; never put passwords or sensitive data inside payloads.
How do TOTP generators stay in sync?: TOTP client apps and server backends calculate codes using the same shared secret and coordinate their steps with the global Unix time clock, tolerating short offsets.