January 20, 2024 10 min read

JWT Token Explained: A Developer's Complete Guide

Understand JSON Web Tokens, their structure, use cases, and security implications.

JSON Web Tokens (JWT) have become the standard for authentication in modern web applications. Whether you're building a REST API, a single-page application, or a microservices architecture, understanding JWTs is essential.

What is a JWT?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe means of representing claims between two parties. It's commonly used for:

  • Authentication: After login, each request includes the JWT for user identification
  • Information Exchange: JWTs can securely transmit information between parties
  • Authorization: Determine what resources a user can access

JWT Structure

A JWT consists of three parts separated by dots (.):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header (Red)

Contains metadata about the token type and signing algorithm:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload (Purple)

Contains the claims - statements about the user and additional metadata:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Common claims include:

  • sub (subject) - The user ID
  • iat (issued at) - When the token was created
  • exp (expiration) - When the token expires
  • iss (issuer) - Who issued the token
  • aud (audience) - Intended recipient

3. Signature (Green)

Ensures the token hasn't been altered. Created by encoding the header and payload, then signing with a secret:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Decode Your JWT Tokens

Instantly decode and inspect JWT tokens with our free tool.

Decode JWT Now →

How JWT Authentication Works

  1. User logs in with credentials (username/password)
  2. Server verifies credentials and creates a JWT
  3. JWT is returned to the client
  4. Client stores JWT (usually in localStorage or cookies)
  5. Client sends JWT with every request (Authorization header)
  6. Server validates JWT and processes the request

JWT Best Practices

Security Do's

  • Use strong, unique secrets for signing
  • Set short expiration times (15 min - 1 hour)
  • Use HTTPS for all JWT transmissions
  • Validate all claims on the server
  • Use the exp claim to expire tokens

Security Don'ts

  • Don't store sensitive data in the payload (it's only base64 encoded)
  • Don't use JWT for session management without refresh tokens
  • Don't trust the token without validating the signature
  • Don't expose your signing secret

⚠️ Security Warning

JWT payloads are NOT encrypted - they're only base64 encoded. Anyone can decode and read the payload. Never store sensitive information like passwords or personal data in a JWT.

JWT vs Sessions

Both have their place:

  • JWT: Stateless, scalable, good for APIs and microservices
  • Sessions: Server-side state, easier to invalidate, better for traditional web apps

Common JWT Algorithms

  • HS256: HMAC with SHA-256 (symmetric)
  • RS256: RSA with SHA-256 (asymmetric)
  • ES256: ECDSA with SHA-256 (asymmetric)

Conclusion

JWTs are powerful tools for authentication and authorization when used correctly. Remember to follow security best practices, keep tokens short-lived, and never store sensitive data in the payload. Use our JWT Decoder to inspect and debug your tokens during development.