What is a JWT Token?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way for securely transmitting information between parties as a JSON object. JWTs are digitally signed using a secret or a public/private key pair, making them verifiable and trustworthy.

JWTs are widely used for authentication and authorization in modern web applications. When a user logs in, the server generates a JWT and sends it to the client. The client then includes this token in subsequent requests to prove its identity.

JWT Structure

A JWT consists of three Base64URL-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

Specifies the token type and the signing algorithm used (e.g., HS256, RS256).

{"alg": "HS256", "typ": "JWT"}

Payload

Contains the claims โ€” statements about the user and additional metadata.

{"sub": "1234", "name": "Jane", "exp": 1234567890}

Signature

Created by signing the encoded header and payload with a secret key. Used to verify the token has not been tampered with.

Standard JWT Claims

sub
Subject: Identifies the principal that is the subject of the JWT (e.g., user ID).
iss
Issuer: Identifies the principal that issued the JWT (e.g., your auth server URL).
exp
Expiration Time: Unix timestamp after which the token must no longer be accepted.
iat
Issued At: Unix timestamp when the JWT was issued. Used to determine the age of the token.
aud
Audience: Identifies the recipients that the JWT is intended for.
jti
JWT ID: A unique identifier for the JWT, used to prevent token replay attacks.

Common Use Cases

๐Ÿ” Authentication

After login, a JWT is issued to the user. Each subsequent request includes this token so the server can verify identity without querying a database.

๐Ÿ”‘ Authorization

JWTs can carry user roles and permissions, allowing APIs to make access-control decisions without a database lookup on every request.

๐ŸŒ Microservices

Services can verify JWTs independently using a shared public key, enabling secure, stateless communication in distributed architectures.

๐Ÿ“ง Password Reset Links

Short-lived JWTs can be embedded in password reset emails to create one-time, expiring links without server-side session storage.

Frequently Asked Questions

Is it safe to decode a JWT here?

Yes. The decode operation only Base64-decodes the token โ€” no data is sent to any server. If you enter your secret to verify the signature, it stays in your browser only.

Can JWTs be decoded without the secret?

Yes โ€” the header and payload of a JWT are only Base64URL-encoded, not encrypted. Anyone can read them. The secret is only needed to verify that the token was not tampered with.

What is the difference between HS256 and RS256?

HS256 uses a single shared secret (symmetric). RS256 uses a public/private key pair (asymmetric) โ€” the server signs with the private key and clients verify with the public key.

Should I store sensitive data in a JWT payload?

No. The payload is only encoded, not encrypted. Anyone who has the token can read its contents. Never store passwords, credit card numbers, or other sensitive data in a JWT.

๐Ÿ”— Related Tools

{ }
JSON Formatter
Prettify JSON Data
#
Hash Generator
MD5, SHA-256
๐Ÿ”’
Password Gen
Secure Passwords