What Is a JWT (JSON Web Token)? A Complete Guide

JSON Web Tokens (JWTs) are the most common way to handle authentication in modern web apps and APIs. Here's what they actually are.

The big idea

A JWT is a signed, self-contained token that carries information (claims) about a user or session. Because it's signed, the server can trust the data inside without looking anything up in a database.

The three parts

A JWT is three base64url strings joined by dots: header.payload.signature.

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM ... .dyt0CoTl4WoVjAHI9Q

1. Header

Describes the token type and signing algorithm:

{ "alg": "HS256", "typ": "JWT" }

2. Payload (claims)

The data. Standard claims include sub (subject), exp (expiry), iat (issued at), and iss (issuer), plus any custom fields:

{ "sub": "1234567890", "name": "John Doe", "admin": true }

3. Signature

A cryptographic signature over the header and payload, created with a secret (HS256) or private key (RS256). It proves the token hasn't been tampered with.

What signing does — and doesn't do

Signing guarantees integrity (the token wasn't changed) and authenticity (it came from someone with the secret). It does not encrypt — anyone can read the payload by base64-decoding it. Never put passwords or secrets in a JWT.

When to use JWTs

• Stateless API authentication
• Single sign-on (SSO)
• Short-lived access tokens

For a comparison with the traditional approach, see JWT vs session cookies.

Try it

Paste any token into the JWT decoder to inspect its header and payload, or create your own and validate it.