Home/Blog/What is a JWT Token
JWT · Guide

What is a JWT Token?

5 min readUpdated January 2025Developer Tools
JWT tokens are everywhere in modern web development — authentication, APIs, single sign-on. But what exactly is a JWT, what's inside it, and how do you read one?

Free Online JWT Decoder

Decode any JWT token instantly. See the header, payload, claims and expiry — all in your browser.

Open JWT Decoder →

What is a JWT?

A JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between two parties as a compact, URL-safe string. JWTs are most commonly used for authentication — after you log in, the server issues a JWT that your browser sends with every subsequent request to prove who you are.

A JWT looks like this:

Example JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Those three dot-separated sections are the three parts of every JWT.

The 3 parts of a JWT

Every JWT has exactly three parts, separated by dots: header.payload.signature. Each part is Base64URL-encoded.

1. Header

The header contains metadata about the token — specifically the algorithm used to sign it and the token type.

Header (decoded)
{"alg": "HS256","typ": "JWT"}

2. Payload (Claims)

The payload contains the actual data — called claims. These are statements about the user and other metadata.

Payload (decoded)
{"sub": "1234567890","name": "Ada Lovelace","email": "ada@example.com","roles": ["admin"],"iat": 1516239022,"exp": 1516242622}

Standard claims include: sub (subject/user ID), iat (issued at), exp (expiry time), iss (issuer), aud (audience).

3. Signature

The signature verifies the token hasn't been tampered with. It's created by signing the encoded header and payload with a secret key. Without the secret, you can read the payload but can't forge a valid signature.

Important: The JWT payload is only Base64-encoded — not encrypted. Anyone can decode and read it. Never put passwords, credit card numbers, or sensitive PII in a JWT payload.

How to decode a JWT

You can decode any JWT instantly using the tinybench.dev JWT decoder — paste the token and see the header, payload, and expiry time decoded and formatted. Since the tool runs entirely in your browser, your tokens are never sent to any server.

How JWT authentication works

  1. User logs in — sends username and password to the server
  2. Server verifies credentials — checks the database
  3. Server issues JWT — creates a signed token with user info and expiry
  4. Client stores JWT — usually in memory or localStorage
  5. Client sends JWT with requests — in the Authorization: Bearer <token> header
  6. Server validates JWT — verifies the signature, checks expiry, reads claims

JWT vs session tokens

FeatureJWTSession Token
Stored on server?No (stateless)Yes (in DB or cache)
Scales easily?YesRequires shared session store
Can be revoked?Only at expiry (or with blocklist)Yes, instantly
Contains user data?YesNo (just an ID)
Common useAPIs, microservices, SPAsTraditional web apps

Frequently asked questions

Is a JWT encrypted?
No. A standard JWT (JWS) is signed, not encrypted. The payload is Base64-encoded and readable by anyone. JWE (JSON Web Encryption) is a separate standard for encrypted tokens. For sensitive data, use JWE or keep sensitive fields out of the payload entirely.
How long should a JWT last?
Short-lived access tokens (15 minutes to 1 hour) are best practice. Pair them with longer-lived refresh tokens. Long-lived JWTs are risky because they can't be revoked if stolen.
Where should I store a JWT in the browser?
In-memory (a JavaScript variable) is most secure. localStorage is convenient but vulnerable to XSS. HttpOnly cookies protect against XSS but need CSRF protection. The right choice depends on your threat model.
What does "invalid signature" mean?
It means the token was signed with a different secret key, or the token has been tampered with. Never trust a JWT with an invalid signature.

Try it now — free & private

Runs entirely in your browser. No sign-up, no uploads, no tracking.

Open JWT Decoder →

Related tools on tinybench.dev