What Is a JWT (JSON Web Token)?
Understand JSON Web Tokens: the header, payload, and signature, how JWTs are used for authentication, and why you should never trust an unverified token.
A JWT (JSON Web Token) is a compact, URL-safe way to represent claims between two parties. It's widely used for authentication: after you log in, a server issues a token your browser sends with each request to prove who you are.
The three parts
A JWT is three Base64URL-encoded sections separated by dots: header.payload.signature.
- Header โ the token type and signing algorithm (e.g.
HS256). - Payload โ the claims: user id, expiry (
exp), issuer, etc. - Signature โ a cryptographic signature that proves the token wasn't tampered with.
Important: decoding is not verifying
The header and payload are only encoded, not encrypted โ anyone can read them. Security comes from the signature, which a server checks with a secret key. Never trust a token's contents without verifying its signature, and never put sensitive data in the payload.