JWT Explained: What Every Developer Should Know

πŸ“… 2026-05-08🏷️ Security⏱️ 6 min read

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It's defined by RFC 7519 and is widely used in authentication (OAuth2, OpenID Connect) and API authorization.

JWT Structure

A JWT has three Base64url-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiJ9
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

Algorithm and token type. Example: {"alg":"HS256","typ":"JWT"}

2. Payload (Claims)

Standard claims: sub (subject), exp (expiry), iat (issued-at), iss (issuer).

3. Signature

Verifies the token wasn't tampered with. Requires the secret (HMAC) or public key (RSA/EC).

Security Warning

The payload is only encoded, not encrypted. Never store passwords, PII, or credit cards in a JWT payload.

Use our free JWT Decoder to inspect tokens safely in your browser.

Found this useful? Try our JWT Decoder β€” browser-based and free forever.