JWT in 30 Seconds
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It's the most popular format for authentication tokens in modern web applications.
Structure of a JWT
Every JWT has three parts separated by dots: header.payload.signature
- Header: Specifies the algorithm (usually HS256 or RS256) and token type
- Payload: Contains the claims (user data, expiration, etc.)
- Signature: Cryptographic signature to verify the token hasn't been tampered with
Common JWT Claims
sub— Subject (usually user ID)iat— Issued At (Unix timestamp)exp— Expiration Time (Unix timestamp)iss— Issueraud— Audiencenbf— Not Before
Is JWT Secure?
JWTs are signed, not encrypted (by default). Anyone can decode and read the payload — they just can't modify it without invalidating the signature. Never put sensitive data (passwords, credit cards) in a JWT payload.
How to Decode a JWT Safely
Never paste your production JWT tokens into online tools that send data to their servers. Use a client-side decoder like ours — the token never leaves your browser, so there's zero risk of exposure.
Common JWT Mistakes
- Storing sensitive data in the payload
- Not validating the signature on the server
- Using long-lived tokens without refresh mechanisms
- Not checking the
expclaim - Decoding tokens on server-side tools that log input