What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way for two parties to pass around signed JSON data. You meet JWTs most often as login tokens: after you sign in, the server hands your browser a JWT, and every later request presents it as proof of who you are.
The three parts
A JWT is three Base64URL strings joined by dots: header.payload.signature.
- Header — metadata: which algorithm signed the token (
alg) and its type (typ). - Payload — the actual claims: who you are (
sub), who issued it (iss), when it expires (exp), plus any custom fields the developer added. - Signature — a cryptographic stamp over the first two parts. If anyone edits the payload, the signature stops matching and the server rejects the token.
Key fact: JWTs are signed, not encrypted. Base64URL is an encoding, not encryption — anyone who obtains the token can read everything inside it. The signature only proves the content wasn't modified. Never put passwords, card numbers or personal secrets in a JWT payload.
The standard claims
iss— issuer, who created the tokensub— subject, usually the user IDaud— audience, which service should accept itexp/nbf/iat— expiry, not-before and issued-at times, as Unix secondsjti— a unique token ID, handy for revocation lists
Common mistakes
- Trusting a decoded token without verifying the signature. Decoding is trivial; only verification proves authenticity.
- Storing sensitive data in the payload. It is readable by design.
- Ignoring
exp. Long-lived or non-expiring tokens are a security hole — if one leaks, it works until revoked. - Accepting
alg: none. Well-known attack; servers must whitelist expected algorithms.
Inspect one now
Paste any token into the JWT viewer on the home page — it decodes the header and payload, translates the timestamps into your timezone, flags expired tokens, and can verify HS256 signatures. Everything runs in your browser, so the token never leaves your machine.