JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting data between parties as a digitally signed JSON object. JWT is widely used for authentication and authorization in web applications, APIs, and microservice architectures.
JWT Token Structure
A JWT consists of three parts separated by dots:
xxxxx.yyyyy.zzzzz
- Header — contains the token type (JWT) and the signing algorithm (HS256, RS256, etc.). Encoded in Base64URL.
- Payload — contains claims — data about the user and the token. Standard claims: iss (issuer), sub (subject), exp (expiration), iat (issued at), aud (audience). Encoded in Base64URL.
- Signature — created by signing the Header and Payload with a secret key. Guarantees the token's integrity.
How JWT Works
After authentication, the server creates a JWT and sends it to the client. The client stores the token (in localStorage, sessionStorage, or a cookie) and sends it with every subsequent request in the Authorization header. The server verifies the token's signature and extracts data from the Payload without querying the database.
JWT Security
It is important to understand: JWT is not encrypted, only signed. Anyone can decode the Header and Payload (it is just Base64). The signature guarantees that the token has not been tampered with, but it does not hide its contents. Never store sensitive data in a JWT: passwords, card numbers, or personal information.
Conclusion
JWT is a powerful tool for secure authentication. Decode and analyze tokens using our JWT decoder — it will display the Header and Payload contents and check the token's expiration.
