# What is a JWT? > A JWT (JSON Web Token) is a compact, URL-safe token format that encodes a JSON payload with a cryptographic signature, used for authentication and secure data exchange between parties. - URL: https://www.browserutils.dev/glossary/jwt - Published: 2026-03-21 - Updated: 2026-03-16 --- **JWT (JSON Web Token)** is a compact, URL-safe token format that encodes a JSON payload with a cryptographic signature, used for authentication and secure data exchange between parties. Defined in RFC 7519, a JWT consists of three Base64URL-encoded segments — header, payload, and signature — separated by dots, and is most commonly issued by an OAuth or OpenID Connect provider. ## Structure A JWT consists of three Base64URL-encoded parts separated by dots: ``` eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U │ │ │ └── Header └── Payload └── Signature ``` - **Header**: Specifies the algorithm (e.g., HS256, RS256) and token type. - **Payload**: Contains the claims — key-value pairs carrying the actual data (user ID, expiration time, roles). - **Signature**: Computed from the header, payload, and a secret key. This prevents tampering. ## How authentication works with JWTs The typical flow: a user logs in with credentials, the server validates them and returns a signed JWT. The client stores this token (usually in memory or an HTTP-only cookie) and sends it with subsequent requests in the `Authorization: Bearer ` header. The server verifies the signature on each request without querying a database. This makes JWTs stateless — the server doesn't need to store session data. That's the main advantage over traditional session-based authentication. ## Standard claims The JWT spec defines several registered claims: - `iss` (issuer): Who created the token - `sub` (subject): Who the token is about (often a user ID) - `exp` (expiration): Unix timestamp when the token expires - `iat` (issued at): When the token was created - `aud` (audience): Who the token is intended for You can add any custom claims you need alongside these. ## Common pitfalls - **JWTs are not encrypted by default.** The payload is Base64URL-encoded, not encrypted. Anyone can decode and read it. Don't put sensitive data in a JWT unless you use JWE (JSON Web Encryption). - **Token revocation is hard.** Since JWTs are stateless, you can't invalidate one without maintaining a blocklist — which defeats some of the stateless benefit. - **Short expiration times matter.** Set `exp` to minutes or hours, not days. Use refresh tokens for longer sessions. Inspect and debug tokens with the [JWT Decoder](/tools/jwt-decoder), or build tokens for testing with the [JWT Builder](/tools/jwt-builder).