What is a JWT Token? A Simple Explanation

What is JWT?

JWT stands for JSON Web Token. It is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. The information is digitally signed so it can be verified and trusted.

JWTs are commonly used for authentication — when a user logs in, the server creates a JWT and sends it to the client. The client then sends this token with every subsequent request to prove its identity.

JWT Structure

A JWT consists of three parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbWVzIn0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

Contains the algorithm used for signing (e.g. HS256) and token type (JWT). Base64URL encoded.

Payload

Contains the claims — data like user ID, name, roles and expiry time. Base64URL encoded. Not encrypted — anyone can read it!

Signature

Created by signing the header and payload with a secret key. Used to verify the token has not been tampered with.

How JWT Authentication Works

User logs in with username and password
Server verifies credentials and creates a JWT signed with a secret key
Server sends JWT to the client
Client stores JWT (in memory or localStorage)
Client sends JWT in the Authorization header with every request
Server verifies the JWT signature and grants access

Common JWT Claims

Claim	Name	Description
sub	Subject	User ID or identifier
iss	Issuer	Who created the token
aud	Audience	Who the token is for
exp	Expiry	When the token expires (Unix timestamp)
iat	Issued at	When the token was created
nbf	Not before	Token not valid before this time

JWT Security Tips

Never store sensitive data in JWT payload — it can be decoded by anyone
Always set an expiry time (exp claim)
Use HTTPS to transmit tokens
Keep your secret key secure and never expose it
Use short expiry times for sensitive applications

Decode a JWT token instantly

Paste any JWT token and see the header, payload and claims decoded.

Open JWT Decoder →