ConvertCaseTool
← Back to Blog
Security6 min read

What Is a JWT Token? How JSON Web Tokens Work

JSON Web Tokens (JWTs) are one of the most popular methods for handling authentication and authorization in modern web applications. If you've ever logged into a web app and wondered how the server knows who you are on subsequent requests, there's a good chance JWTs are involved. This guide explains how they work in plain language.

What Is a JWT?

A JWT (pronounced "jot") is a compact, URL-safe token format that securely transmits information between two parties as a JSON object. It is defined by RFC 7519 and is widely used for authentication, authorization, and information exchange.

A JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

You can paste any JWT into our JWT Decoder to see its contents instantly.

The Three Parts of a JWT

A JWT consists of three parts separated by dots: Header, Payload, and Signature.

1. Header

The header typically contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256). It is Base64url-encoded.

{ "alg": "HS256", "typ": "JWT" }

2. Payload

The payload contains the "claims" — statements about the user and additional metadata. Common standard claims include:

ClaimFull NameDescription
subSubjectThe user ID or subject of the token
iatIssued AtWhen the token was created (Unix timestamp)
expExpirationWhen the token expires (Unix timestamp)
issIssuerWho issued the token
audAudienceWho the token is intended for

The iat and exp claims use Unix timestamps. You can convert these to human-readable dates with our timestamp converter.

3. Signature

The signature verifies that the token hasn't been tampered with. It is created by taking the encoded header, encoded payload, a secret key, and the algorithm specified in the header:

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

How JWT Authentication Works

  1. Login: The user sends credentials (username/password) to the server
  2. Token creation: The server verifies credentials and creates a JWT containing user information
  3. Token storage: The client stores the JWT (typically in localStorage or an httpOnly cookie)
  4. Subsequent requests: The client includes the JWT in the Authorization header of every API request
  5. Verification: The server verifies the signature and extracts user info from the payload

JWT Security Best Practices

  • Always set an expiration: Use the exp claim to limit token lifetime. Short-lived tokens (15-60 minutes) are more secure.
  • Use strong secrets: For HMAC-based signing (HS256), use a secret of at least 256 bits.
  • Prefer RS256 over HS256: Asymmetric algorithms (RS256) are more secure for distributed systems because the private key stays on the server.
  • Never store sensitive data in the payload: JWTs are encoded, not encrypted. Anyone can decode the payload. Use our JWT Decoder to verify what's visible.
  • Validate all claims: Always check exp, iss, and aud on the server side.
  • Use httpOnly cookies: Storing JWTs in httpOnly cookies prevents XSS attacks from accessing the token.

Debugging JWTs

When debugging authentication issues, you often need to inspect the contents of a JWT. Our JWT Decoder lets you paste a token and instantly see the decoded header, payload, and expiration time. You can also use the JSON Formatter to pretty-print the decoded payload for easier reading.

Decode a JWT Token

Paste any JWT and instantly see the decoded header, payload, and expiration.

Open JWT Decoder →