browserutils
← All terms

// glossary

What is a JWT?

A JWT (JSON Web Token) is a compact, URL-safe token format that encodes a JSON payload with a cryptographic signature, used for authentication and secure data exchange between parties.

A JWT (JSON Web Token) is a compact, URL-safe token format that encodes a JSON payload with a cryptographic signature, used for authentication and secure data exchange between parties. JWTs are defined in RFC 7519.

Structure

A JWT consists of three Base64URL-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
│                      │                               │
└── Header             └── Payload                     └── Signature
  • Header: Specifies the algorithm (e.g., HS256, RS256) and token type.
  • Payload: Contains the claims — key-value pairs carrying the actual data (user ID, expiration time, roles).
  • Signature: Computed from the header, payload, and a secret key. This prevents tampering.

How authentication works with JWTs

The typical flow: a user logs in with credentials, the server validates them and returns a signed JWT. The client stores this token (usually in memory or an HTTP-only cookie) and sends it with subsequent requests in the Authorization: Bearer <token> header. The server verifies the signature on each request without querying a database.

This makes JWTs stateless — the server doesn’t need to store session data. That’s the main advantage over traditional session-based authentication.

Standard claims

The JWT spec defines several registered claims:

  • iss (issuer): Who created the token
  • sub (subject): Who the token is about (often a user ID)
  • exp (expiration): Unix timestamp when the token expires
  • iat (issued at): When the token was created
  • aud (audience): Who the token is intended for

You can add any custom claims you need alongside these.

Common pitfalls

  • JWTs are not encrypted by default. The payload is Base64URL-encoded, not encrypted. Anyone can decode and read it. Don’t put sensitive data in a JWT unless you use JWE (JSON Web Encryption).
  • Token revocation is hard. Since JWTs are stateless, you can’t invalidate one without maintaining a blocklist — which defeats some of the stateless benefit.
  • Short expiration times matter. Set exp to minutes or hours, not days. Use refresh tokens for longer sessions.

Inspect and debug tokens with the JWT Decoder, or build tokens for testing with the JWT Builder.

#Related Tools

JWT Decoder
Decode and inspect JSON Web Tokens
JWT Builder
Encode and build JSON Web Tokens
Base64 Encoder / Decoder
Encode and decode Base64 strings instantly
HMAC Generator
Generate HMAC message authentication codes

#Related Terms

What is JSON?
JSON (JavaScript Object Notation) is a lightweight, text-based data interchange format that uses human-readable key-value pairs and arrays to structure data.
What is Base64 Encoding?
Base64 is a binary-to-text encoding scheme that represents binary data as a string of ASCII characters, using a 64-character alphabet of letters, digits, plus, and slash.
What is SHA-256?
SHA-256 is a cryptographic hash function from the SHA-2 family that produces a fixed 256-bit (32-byte) digest from any input, widely used for data integrity verification and digital signatures.
What is OAuth?
OAuth 2.0 is an authorization framework that allows third-party applications to access a user's resources on another service without exposing the user's credentials.
What is a REST API?
A REST API (Representational State Transfer Application Programming Interface) is an architectural style for web services that uses HTTP methods and URLs to perform operations on resources.

#Learn More

Glossary
What is Base64?
Glossary
What is JWT?
Glossary
What is OAuth?
Guide
How to Decode a JWT Token