Introduction
JWT (JSON Web Token) has become the standard for modern web authentication. It's a compact, URL-safe way to transmit information between parties as a JSON object. Used for single sign-on, API authentication, and information exchange, understanding JWT is essential for building secure modern applications.
What is a JWT?
A JWT is a string consisting of three parts separated by dots:
xxxxx.yyyyy.zzzzz │ │ │ │ │ └── Signature │ └──────── Payload └────────────── Header
Each part is Base64-encoded JSON. Together, they create a token that can be verified but not easily forged.
JWT Structure
Header
Specifies the token type and signing algorithm:
{
"alg": "HS256",
"typ": "JWT"
}Base64-encoded: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload
Contains claims (user data and metadata):
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}Base64-encoded (can be decoded and read by anyone!)
Signature
Verifies the token wasn't tampered with. Created by:
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
Only verifiable with the secret key - cannot be decoded.
Standard Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | User ID or identifier |
| aud | Audience | Intended recipients |
| exp | Expiration | When token expires (Unix timestamp) |
| iat | Issued At | When token was created |
| nbf | Not Before | Token valid after this time |
| jti | JWT ID | Unique identifier for the token |
Security Considerations
- JWT payload is NOT encrypted: Anyone can decode and read it. Never put sensitive data (passwords, secrets) in the payload.
- Signature prevents tampering: Without the secret, attackers cannot modify the token without detection.
- Always set expiration: Tokens without expiration never expire - stolen tokens remain valid forever.
- Use HTTPS: JWTs sent over HTTP can be intercepted. Always use TLS for transmission.
Related Tools
Conclusion
JWT provides a compact, self-contained way to transmit authenticated information. Remember that JWTs are encoded (Base64), not encrypted - the payload can be read by anyone. Security comes from the signature, which prevents tampering. Always use HTTPS, set reasonable expiration times, and never store sensitive data in the payload. Use our JWT Debugger to inspect and understand tokens before implementing them in your applications.