Developer ยท 4 min read

What Is a JWT (JSON Web Token)?

Understand JSON Web Tokens: the header, payload, and signature, how JWTs are used for authentication, and why you should never trust an unverified token.

A JWT (JSON Web Token) is a compact, URL-safe way to represent claims between two parties. It's widely used for authentication: after you log in, a server issues a token your browser sends with each request to prove who you are.

The three parts

A JWT is three Base64URL-encoded sections separated by dots: header.payload.signature.

  • Header โ€” the token type and signing algorithm (e.g. HS256).
  • Payload โ€” the claims: user id, expiry (exp), issuer, etc.
  • Signature โ€” a cryptographic signature that proves the token wasn't tampered with.

Important: decoding is not verifying

The header and payload are only encoded, not encrypted โ€” anyone can read them. Security comes from the signature, which a server checks with a secret key. Never trust a token's contents without verifying its signature, and never put sensitive data in the payload.

Try the tool