devhexlab
jwtauthenticationsecurity

Understanding JWT Tokens

JSON Web Tokens are the standard for stateless authentication. Learn how they are structured and how to decode them safely.

7 min read

Related Tool

JWT Decoder

Open tool

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It is widely used for authentication and authorization in web applications.

Structure

A JWT consists of three Base64url-encoded parts separated by dots:

header.payload.signature

Header

The header identifies the token type and the hashing algorithm:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The payload contains claims (statements about the user and additional metadata):

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Common claims include sub (subject), iat (issued at), exp (expiration), and aud (audience).

Signature

The signature verifies the token has not been tampered with. It is created by signing the encoded header and payload with a secret key.

Important security notes

The payload is only Base64-encoded, not encrypted. Anyone can decode it. Never store sensitive data like passwords in a JWT payload.

Always verify the signature on the server side. Never trust a JWT's contents without verification.

Decoding vs verifying

Decoding means reading the header and payload. Verifying means checking the signature against a known secret or public key. Our JWT decoder only decodes. It does not verify signatures.

Try it yourself with this free tool

JWT Decoder

Decode and inspect JWT token header, payload, and signature

More Articles

Understanding Base64 Encoding

5 min read

Unix Timestamps Explained

6 min read

Regular Expressions Every Developer Should Know

8 min read

All articles