What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way for two parties to pass around signed JSON data. You meet JWTs most often as login tokens: after you sign in, the server hands your browser a JWT, and every later request presents it as proof of who you are.

The three parts

A JWT is three Base64URL strings joined by dots: header.payload.signature.

Key fact: JWTs are signed, not encrypted. Base64URL is an encoding, not encryption — anyone who obtains the token can read everything inside it. The signature only proves the content wasn't modified. Never put passwords, card numbers or personal secrets in a JWT payload.

The standard claims

Common mistakes

Inspect one now

Paste any token into the JWT viewer on the home page — it decodes the header and payload, translates the timestamps into your timezone, flags expired tokens, and can verify HS256 signatures. Everything runs in your browser, so the token never leaves your machine.