What is a JWT? A Complete Guide to JSON Web Tokens
2 min read
Authentication and authorization are cornerstones of modern web security. One technology that has become nearly universal is the JSON Web Token (JWT). Whether you are building APIs, SPAs, or mobile apps, chances are you’ve worked with JWTs.
🔍 What is a JWT?
A JWT is a compact, URL-safe token that represents claims between two parties. It is widely used for authentication, authorization, and secure information exchange.
A JWT consists of three parts, separated by dots:
header.payload.signature- Header: Contains metadata such as the algorithm (e.g., HS256) and token type.
- Payload: Stores claims like user ID, roles, or expiration time.
- Signature: Verifies that the token has not been tampered with.
🧩 Example JWT Structure
Here’s an example of a decoded JWT:
| Section | Content |
|---|---|
| Header | { "alg": "HS256", "typ": "JWT" } |
| Payload | { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } |
| Signature | HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret) |
✅ Why JWTs Are Popular
- Compact: Easy to include in HTTP headers or URLs.
- Self-contained: Stores all necessary information within the token.
- Stateless: No need for server-side sessions.
⚠️ Common JWT Misconceptions
While JWTs are powerful, they are often misunderstood:
- JWTs are not encrypted: They are only base64-encoded. Sensitive data should not be stored inside unless encrypted separately.
- Expiration is critical: Without proper expiration, tokens can be reused indefinitely if leaked.
- Always validate signatures: Simply decoding a JWT is not enough. Verification ensures authenticity.
🚀 Try It Yourself
You can safely test tokens using our JWT Decoder. It runs 100% client-side, so your tokens never leave your browser.
🔗 Related Tools
In conclusion, JWTs are a backbone of secure web communication. They’re not a silver bullet, but when used properly, they make authentication more scalable, efficient, and portable across applications.