What is a JWT token?
A JSON Web Token (JWT) is a compact and secure way to transmit information
between two parties as a JSON object. JWT tokens are commonly used for
authentication and authorization in modern web applications and APIs.
A JWT contains encoded information such as user identity, permissions,
and expiration time. Because the token is digitally signed, the receiver
can verify that the information has not been altered.
JWT tokens are widely used in authentication systems including OAuth,
API authentication, and Single Sign-On (SSO). Their compact format makes
them easy to transmit in HTTP headers, URLs, or cookies.
A typical JSON Web Token (JWT) contains three parts:
header.payload.signature
These parts allow applications to verify the authenticity and integrity
of the token.
How to decode a JWT token?
Decoding a JWT token allows developers to inspect the information stored inside the token.
A JWT consists of three Base64URL-encoded parts: the header, payload, and signature.
The header contains metadata such as the signing algorithm used.
The payload contains claims, which are pieces of information like user ID, permissions, or expiration time.
To decode a JWT token, simply paste the token into the decoder tool above.
The encoded data will automatically be converted into readable JSON format.
This makes it easy for developers to inspect token contents, debug authentication flows,
and verify the information included in a token.
What is the structure of a JWT token?
A JSON Web Token is composed of three parts separated by dots:
header.payload.signature
Each part serves a specific purpose.
Header — contains metadata about the token including the type of token and the signing algorithm.
{
"alg": "HS256",
"typ": "JWT"
}
Payload — contains claims such as user identifiers, permissions and expiration time.
Signature — used to verify that the token has not been altered and that it was issued by a trusted source.
What is the JWT payload?
The payload is the second part of a JSON Web Token and contains the claims carried by the token.
Claims represent information about a user or system such as user ID, permissions, or token expiration time.
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
The payload is encoded using Base64URL encoding, which means it can be decoded and read easily.
Because of this, sensitive information such as passwords or private data should never be stored inside a JWT payload.
What is the JWT header?
The JWT header is the first part of a JSON Web Token and contains metadata about the token.
It defines the algorithm used to sign the token.
{
"alg": "HS256",
"typ": "JWT"
}
The alg field specifies the cryptographic algorithm used to generate the signature.
The typ field indicates that the token type is JWT.
Before the token is created, the header is converted to JSON and encoded using Base64URL encoding.
How to verify a JWT signature?
Verifying a JWT signature ensures that the token has not been modified and that it was issued by a trusted source.
When a JWT is created, the header and payload are signed using a secret key or private key depending on the algorithm used.
To verify the signature, the server recalculates the signature using the encoded header, payload, and the secret or public key.
If the calculated signature matches the signature inside the token, the JWT is considered valid.
What are JWT claims?
JWT claims are pieces of information stored inside the payload of a JSON Web Token.
Claims describe details such as user identity, expiration time, or intended audience.
There are three main types of claims:
Registered claims — predefined claims like iss, exp, sub, aud.
Public claims — custom claims defined by developers.
Private claims — application-specific claims used between systems.
What does "exp" mean in a JWT token?
The exp claim represents the expiration time of the token.
It defines the exact moment when the token becomes invalid.
{
"exp": 1716239022
}
The value is stored as a Unix timestamp.
If the current time exceeds this timestamp, the token must be rejected.
How to check if a JWT token is valid?
Several checks must be performed to determine if a JWT token is valid.
First, the token structure must be correct and contain three Base64URL encoded parts.
Second, the token signature must be verified using the correct secret or public key.
Finally, claims such as exp, iss, and aud must be validated.
Is a JWT encrypted or encoded?
A standard JWT token is encoded, not encrypted.
The header and payload are encoded using Base64URL encoding.
This allows anyone with the token to decode and read its contents.
Security comes from the digital signature that prevents modification.
If encryption is required, developers can use JSON Web Encryption (JWE).
How does JWT authentication work?
JWT authentication is widely used in modern web applications and APIs.
The typical flow:
1. A user logs into the application.
2. The server verifies credentials and generates a JWT token.
3. The token is returned to the client.
4. The client sends the token with future requests.
5. The server verifies the token before granting access.
Because JWT tokens are self-contained, servers do not need to store session data.
When should you use JSON Web Tokens?
JWT tokens are useful when applications require secure and stateless authentication.
They are commonly used for:
• API authentication
• Single Sign-On (SSO)
• Microservice architectures
Their compact and self-contained structure makes them efficient for distributed systems.
What is the difference between decoding and verifying a JWT?
Decoding a JWT means converting the Base64URL encoded header and payload into readable JSON.
This does not require any secret key.
Verification checks the token signature using a secret or public key.
Decoding allows developers to read the token, while verification confirms that the token is authentic.
JWT vs session authentication
Session authentication stores session data on the server.
The server associates this data with a session ID stored in cookies.
JWT authentication stores information directly inside the token.
The server does not need to keep session state, which makes JWT ideal for APIs and distributed systems.
Why are JWT tokens used for authentication?
JWT tokens provide a compact and secure way to transmit authentication data.
Unlike traditional session authentication, JWT tokens are self-contained.
This allows servers to verify users without storing session information.
JWT tokens are therefore highly scalable and well suited for microservices and modern API architectures.
