Understanding JWTs: A Developer's Guide

JSON Web Tokens (JWTs) have become the de facto standard for handling authentication in modern web applications. In this guide, we'll break down what JWTs are, how they work, and when you should (and shouldn't) use them.

What is a JWT?

A JWT is a compact, URL-safe way of representing claims between two parties. It consists of three parts separated by dots:

JWT Structure Diagram — // The three components of a JSON Web Token

Each part is Base64URL encoded, making it safe to transmit in URLs and HTTP headers.

The Header

The header typically contains two pieces of information:

json

{
  "alg": "HS256",
  "typ": "JWT"
}

alg: The signing algorithm (e.g., HS256, RS256)
typ: The token type (always "JWT")

The Payload

The payload contains the claims—statements about the user and additional metadata:

json

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Common claims include:

sub (subject): The user identifier
iat (issued at): When the token was created
exp (expiration): When the token expires
iss (issuer): Who issued the token

The Signature

The signature ensures the token hasn't been tampered with. It's created by:

Encoding the header and payload
Signing with a secret key using the specified algorithm

javascript

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Try It Yourself

Here's our JWT Decoder tool—paste any JWT to see its decoded contents:

Tool "jwt-decoder" not available for embedding

When to Use JWTs

JWTs are great for:

Stateless authentication: No need to store session data on the server
Single Sign-On (SSO): Share authentication across services
API authorization: Secure your REST APIs
Information exchange: Safely transmit data between parties

Security Considerations

When working with JWTs, keep these best practices in mind:

Always validate the signature - Never trust an unverified token
Check expiration times - Reject expired tokens
Use HTTPS - Tokens can be intercepted over insecure connections
Keep secrets secure - Never expose your signing keys
Consider token size - JWTs can get large with many claims

Common Mistakes

Avoid these pitfalls:

Mistake	Why It's Bad
Storing sensitive data in payload	JWTs are encoded, not encrypted
Not setting expiration	Tokens live forever if compromised
Using weak secrets	Easy to brute-force
Storing in localStorage	Vulnerable to XSS attacks

Conclusion

JWTs are a powerful tool for authentication when used correctly. Understanding their structure helps you make informed decisions about security and implementation.

Check out our other tools:

Base64 Encoder/Decoder - Manually decode JWT parts
JSON Formatter - Format decoded payload
Hash Generator - Understand cryptographic hashing