JWT Guide: Complete JSON Web Token Tutorial

Everything you need to know about JSON Web Tokens for secure authentication and data exchange.

Table of Contents

What is JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and information exchange in web applications.

JWTs are defined by the RFC 7519 standard and are widely adopted in modern web development.

JWT Structure

A JWT consists of three parts separated by dots: header.payload.signature

Header

The header contains metadata about the token, including the signing algorithm (e.g., HS256, RS256).

Payload

The payload contains claims - statements about an entity (typically the user) and additional data.

Signature

The signature verifies the token's authenticity and integrity.

How JWT Authentication Works

  1. User logs in with credentials
  2. Server validates credentials and generates a JWT
  3. JWT is sent to the client (usually in response body or cookie)
  4. Client includes JWT in subsequent requests (Authorization header)
  5. Server verifies the JWT signature and grants access

Practical Examples

Example JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header

{"alg": "HS256", "typ": "JWT"}

Decoded Payload

{"sub": "1234567890", "name": "John Doe", "iat": 1516239022}

Best Practices

  • Use HTTPS: Always transmit JWTs over HTTPS to prevent interception
  • Short expiration: Keep token expiration times short for sensitive operations
  • Secure storage: Store JWTs in httpOnly cookies or secure storage
  • Validate signatures: Always verify the token signature on the server
  • Don't store sensitive data: JWT payloads are encoded, not encrypted

Frequently Asked Questions

Are JWTs encrypted?

No, JWTs are signed, not encrypted. The payload can be decoded by anyone. For encrypted tokens, use JWE (JSON Web Encryption).

How do I invalidate a JWT?

JWTs cannot be invalidated server-side. Use short expiration times and implement a token blacklist if needed.

What's the difference between JWT and OAuth?

OAuth is an authorization framework, while JWT is a token format. OAuth can use JWTs as access tokens.

Try Our JWT Decoder

Need to decode a JWT? Use our free JWT Decoder tool to inspect token contents instantly.