Learn
Guide
JWT Explained
Understand the token format powering modern authentication.
Practice with the tool:
JWT Decoder →
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token for securely transmitting claims between parties. It is commonly used for authentication — after login, the server issues a JWT that the client includes in every subsequent request.
Structure
A JWT consists of three Base64Url-encoded parts separated by dots:
xxxxx.yyyyy.zzzzz
Header.Payload.Signature
Header — algorithm and token type:
{ "alg": "HS256", "typ": "JWT" }
Payload — the claims (data you want to transmit):
{ "sub": "1234", "name": "Alice", "exp": 1700000000 }
Signature — proves the token was not tampered with:
HMACSHA256(base64url(header) + "." + base64url(payload), secret)
⚠️ The payload is only encoded, not encrypted. Anyone can decode it. Never put passwords or sensitive secrets in the payload.
Standard Claims
| Claim | Meaning |
|---|---|
iss |
Issuer — who created the token |
sub |
Subject — who the token refers to |
aud |
Audience — intended recipient |
exp |
Expiration — Unix timestamp |
iat |
Issued at — Unix timestamp |
jti |
JWT ID — unique identifier |
Security Tips
- Always verify the signature on the server — never trust an unverified JWT
- Check
exp— expired tokens must be rejected immediately - Use HTTPS — tokens in transit must be protected from interception
- Keep secrets long and random — weak signing keys can be brute-forced
- Prefer short expiry + refresh tokens over long-lived JWTs