What is JWT? JSON Web Tokens Explained
5 min read · Authentication
The short answer
A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between two parties as a JSON object. The information can be verified and trusted because it is digitally signed.
JWTs are most commonly used for authentication — after a user logs in, the server returns a JWT, and the client sends it with every subsequent request to prove who they are.
The structure of a JWT
A JWT consists of three parts separated by dots:
header.payload.signature
Each part is Base64URL encoded. A real JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFuYSIsImlhdCI6MTUxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
1. Header
Contains the token type and signing algorithm.
{
"alg": "HS256",
"typ": "JWT"
}2. Payload (Claims)
Contains the data — user ID, roles, expiration, etc.
{
"sub": "1234567890",
"name": "Ana García",
"role": "admin",
"iat": 1516239022,
"exp": 1516242622
}3. Signature
Created by signing the encoded header + payload with a secret key. This is what prevents tampering.
Standard claims (fields)
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | Who the token refers to (usually user ID) |
| exp | Expiration | Unix timestamp when the token expires |
| iat | Issued At | Unix timestamp when the token was created |
| aud | Audience | Who the token is intended for |
How JWT authentication works
- User sends credentials (email + password) to the server
- Server validates credentials and creates a JWT signed with a secret key
- Server returns the JWT to the client
- Client stores the JWT (usually in memory or localStorage)
- Client sends the JWT in the
Authorization: Bearer <token>header on every request - Server verifies the signature and reads the payload — no database lookup needed
JWT vs session cookies
| JWT | Session Cookie | |
|---|---|---|
| Storage | Client-side | Server-side |
| Scalability | Easy (stateless) | Requires shared session store |
| Revocation | Hard (until expiry) | Easy (delete session) |
| Best for | APIs, microservices | Traditional web apps |
Common security mistakes
- Using "none" algorithm — always validate that the algorithm is what you expect
- Storing JWTs in localStorage — vulnerable to XSS; prefer httpOnly cookies for sensitive apps
- No expiration — always set
exp; short-lived tokens (15 min) are safer - Trusting the payload without verifying the signature — always verify on the server
- Putting sensitive data in the payload — the payload is only Base64 encoded, not encrypted; anyone can decode it
Decode a JWT instantly
Paste any JWT to inspect its header, payload, and expiration — no server required.
JWT Decoder →