JWT Tokens Explained: Structure, Security, Best Practices

JSON Web Tokens show up in almost every modern authentication system. That long string in your Authorization header — eyJhbGciOiJIUzI1NiIs... — is a JWT, and understanding what is inside it and how it works is essential for building secure applications.

What Is a JWT?

A JWT is a compact, URL-safe token format that carries claims (data) between two parties. It is self-contained — the token itself holds the information needed to verify its authenticity and extract user data, without requiring a database lookup.

Decode any JWT instantly with our JWT Encoder/Decoder. Paste a token and see its header, payload, and signature broken down.

JWT Structure: Three Parts

Every JWT has three Base64URL-encoded parts separated by dots:

header.payload.signature

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Specifies the signing algorithm and token type.

Payload

{
  "sub": "user123",
  "name": "Alex Chen",
  "role": "admin",
  "iat": 1708963200,
  "exp": 1709049600
}

Contains claims — the actual data. Standard claims include sub (subject), iat (issued at), and exp (expiration).

Signature

Created by signing the encoded header and payload with a secret key. This prevents tampering — any modification invalidates the signature.

How JWT Authentication Works

1. User logs in with credentials
2. Server creates a JWT with user claims and signs it
3. Server returns the JWT to the client
4. Client sends JWT in the Authorization header for subsequent requests
5. Server verifies the signature and extracts claims — no database query needed

Security Best Practices

Always Verify the Signature

Never trust a JWT without verifying its signature. Decode the payload with our JWT Decoder to inspect tokens during development, but always verify cryptographically in production.

Use Short Expiration Times

JWTs cannot be revoked once issued (unlike session tokens). Keep expiration times short (15-60 minutes) and use refresh tokens for longer sessions.

Choose the Right Algorithm

• HS256 — HMAC with SHA-256, symmetric key. Simple, fast, good for single-server apps
• RS256 — RSA with SHA-256, asymmetric keys. Better for distributed systems where multiple services verify tokens
• Never use "none" — The alg: "none" vulnerability has caused real-world breaches

Protect the Secret Key

Your JWT signing key is the master key to your authentication system. Store it securely, rotate it periodically, and never expose it in client-side code.

Do Not Store Sensitive Data in the Payload

JWT payloads are Base64-encoded, not encrypted. Anyone can decode them. Never include passwords, credit card numbers, or secrets.

Common JWT Mistakes

1. Not validating expiration — Always check the exp claim
2. Storing JWTs in localStorage — Vulnerable to XSS attacks. Use httpOnly cookies instead
3. Oversized tokens — JWTs go in every request header. Keep payloads lean
4. Not using HTTPS — JWTs sent over HTTP can be intercepted

Frequently Asked Questions

Can I revoke a JWT?

Not directly — JWTs are stateless. Workarounds include short expiration times, token blacklists, or changing the signing key (which invalidates all tokens).

Should I use JWTs for sessions?

JWTs work well for API authentication and microservices. For traditional web sessions, server-side sessions with cookies are often simpler and more secure.

How is JWT different from OAuth?

OAuth is an authorization framework. JWT is a token format. OAuth can use JWTs as access tokens, but they solve different problems.

Related Resources

• Base64 Encoding Explained — understand the encoding JWTs use
• Understanding JWT Security — deeper dive into vulnerabilities
• JWT Encoder/Decoder — decode and create JWTs instantly
• Hash Generator — explore the algorithms behind JWT signatures