Guides / What is JWT?

What is JWT? JSON Web Tokens Explained

5 min read · Authentication

The short answer

A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between two parties as a JSON object. The information can be verified and trusted because it is digitally signed.

JWTs are most commonly used for authentication — after a user logs in, the server returns a JWT, and the client sends it with every subsequent request to prove who they are.

The structure of a JWT

A JWT consists of three parts separated by dots:

header.payload.signature

Each part is Base64URL encoded. A real JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFuYSIsImlhdCI6MTUxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

Contains the token type and signing algorithm.

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload (Claims)

Contains the data — user ID, roles, expiration, etc.

{
  "sub": "1234567890",
  "name": "Ana García",
  "role": "admin",
  "iat": 1516239022,
  "exp": 1516242622
}

3. Signature

Created by signing the encoded header + payload with a secret key. This is what prevents tampering.

Standard claims (fields)

ClaimNameDescription
issIssuerWho issued the token
subSubjectWho the token refers to (usually user ID)
expExpirationUnix timestamp when the token expires
iatIssued AtUnix timestamp when the token was created
audAudienceWho the token is intended for

How JWT authentication works

  1. User sends credentials (email + password) to the server
  2. Server validates credentials and creates a JWT signed with a secret key
  3. Server returns the JWT to the client
  4. Client stores the JWT (usually in memory or localStorage)
  5. Client sends the JWT in the Authorization: Bearer <token> header on every request
  6. Server verifies the signature and reads the payload — no database lookup needed

JWT vs session cookies

JWTSession Cookie
StorageClient-sideServer-side
ScalabilityEasy (stateless)Requires shared session store
RevocationHard (until expiry)Easy (delete session)
Best forAPIs, microservicesTraditional web apps

Common security mistakes

  • Using "none" algorithm — always validate that the algorithm is what you expect
  • Storing JWTs in localStorage — vulnerable to XSS; prefer httpOnly cookies for sensitive apps
  • No expiration — always set exp; short-lived tokens (15 min) are safer
  • Trusting the payload without verifying the signature — always verify on the server
  • Putting sensitive data in the payload — the payload is only Base64 encoded, not encrypted; anyone can decode it

Decode a JWT instantly

Paste any JWT to inspect its header, payload, and expiration — no server required.

JWT Decoder →