Security 2026-03-09

Manage API Tokens: Decode JWT → Verify Hash → Encode Secrets

Full API token management workflow: inspect JWTs for claim issues, verify token hashes against stored values, and encode new secrets safely for deployment.

Workflow uses: JWT Decoder Hash Generator Base64 Encoder — All Free

The Problem

You're rotating API tokens across multiple services. You need to verify existing tokens are well-formed, check that stored token hashes are correct, and safely encode new signing secrets for deployment. This workflow covers the full token lifecycle.

Why This Matters

Token rotation is a security best practice but often skipped because it's tedious. A clear three-step workflow removes the friction: inspect current state, verify stored hashes, encode and deploy new secrets. Each step takes under 30 seconds.

Step-by-Step Instructions

1

Inspect current token claims

Paste the current JWT into the JWT Decoder. Verify the iss (issuer), aud (audience), sub (subject), and exp (expiry). Confirm the token structure before rotating.

2

Hash the existing token for audit logging

Paste the token into the Hash Generator and compute SHA-256. Store this hash in your audit log as a reference. When you rotate the token, hash the new one and log both — this creates an auditable token rotation history.

3

Encode the new signing secret

Take your new JWT signing secret and encode it with the Base64 Encoder. The Base64-encoded secret is safe to store in Kubernetes secrets, CI variables, or .env files without shell escaping issues.

Try It Now — JWT Decoder

Open full page →
JWT Decoder — Live Demo

All processing happens in your browser — no data is sent to any server.

Before & After Example

Token rotation without a process (error-prone) 
# Current state
OLD_JWT_SECRET=my-old-secret     # weak
TOKEN_HASH=???                   # unknown

# During rotation:
# 1. Don't know if old tokens are expired
# 2. No audit trail
# 3. New secret may have encoding issues
Systematic token rotation with audit trail 
# Rotation log
OLD_TOKEN_HASH=a3f5c8d2e1b4...   # SHA-256 of old token
NEW_JWT_SECRET=bmV3LXNpZ25pbmct... # Base64-encoded
ROTATED_AT=2026-03-09T10:00:00Z

# Old tokens expire: 2026-03-09T11:00:00Z (from JWT decoder)
# New tokens issued from: 2026-03-09T10:00:00Z

Frequently Asked Questions

How often should I rotate API tokens?

For user-facing JWTs: access tokens every 15-60 minutes, refresh tokens every 30-90 days. For service-to-service API keys: every 90 days minimum, or after any team member with access leaves. For signing secrets: rotate immediately if suspected compromise.

What's the difference between a JWT and an opaque API key?

JWTs are self-contained — they carry claims and can be decoded without a database lookup. Opaque API keys are random strings that require a database lookup to validate. JWTs are faster but can't be instantly revoked; opaque keys can be revoked immediately.

Can I decode a JWT without the secret key?

Yes — the header and payload are Base64-encoded, not encrypted. Anyone can decode them. Only the signature requires the secret to verify. Never put sensitive data in JWT payloads that you don't want readable to clients.

Related Workflows

🔓

Debug JWT Tokens in 30 Seconds

Authentication
🛡️

Secure Config: Generate Passwords → Hash → Encode Base64

Security
B64

Encode Secrets in Base64 for Config Files

DevOps

Try all 3 tools in this workflow

Each tool is free, runs in your browser, and requires no signup.

Open JWT Decoder → Open Hash Generator → Open Base64 Encoder →
← All Developer Guides

Related Workflow Guides

🔓 Debug JWT Tokens in 30 Seconds 🛡️ Secure Config: Generate Passwords → Hash → Encode Base64 B64 Encode Secrets in Base64 for Config Files