Learn

What Is a JWT? JSON Web Token Explained

A JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and authorization. It consists of three Base64url-encoded parts separated by dots: header, payload, and signature.

Open JWT Decoder

JWT Structure

Header: contains the algorithm (alg) and token type (typ). Payload: contains claims like sub (subject), exp (expiration), iat (issued at). Signature: cryptographic hash verifying the token hasn't been tampered with.

Common Claims

iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), jti (JWT ID). Custom claims can be added by the issuer.

JWT Use Cases

OAuth 2.0 access tokens, OpenID Connect ID tokens, session tokens in SPAs, API authentication, microservice authorization, and single sign-on (SSO) systems.

Frequently Asked Questions

Is JWT encrypted?

JWTs are encoded (Base64url), not encrypted. Anyone can decode the header and payload. Never store secrets in JWT payloads. Use JWE for encrypted tokens.

How do I verify a JWT?

Verify the signature using the issuer's public key (RS256) or shared secret (HS256). Always check exp, nbf, iss, and aud claims server-side.