env.dev

What is a JWT? A Developer Guide to JSON Web Tokens

Learn how JSON Web Tokens work, their structure, use cases, and common pitfalls.

A JSON Web Token (JWT) is a compact, URL-safe token used to securely transmit information between parties. It is most commonly used for authentication — once a user logs in, the server issues a JWT that the client sends with every subsequent request.

Structure

A JWT is three Base64URL-encoded parts separated by dots:

header.payload.signature

Header

Specifies the token type (JWT) and the signing algorithm (e.g. HS256, RS256).

{ "alg": "HS256", "typ": "JWT" }

Payload

Contains claims — statements about the user and metadata. Standard claims include sub (subject), iat (issued at), and exp (expiry).

{ "sub": "user_123", "role": "admin", "exp": 1735689600 }

Signature

Created by signing the encoded header and payload with a secret (symmetric) or private key (asymmetric). This prevents tampering.

HMACSHA256(base64url(header) + "." + base64url(payload), secret)

How Authentication Works

  1. User sends credentials to the server
  2. Server validates and returns a signed JWT
  3. Client stores the JWT (memory, localStorage, or httpOnly cookie)
  4. Client sends the JWT in the Authorization: Bearer <token> header
  5. Server verifies the signature on every request — no session lookup needed

Signing Algorithms

AlgorithmTypeUse case
HS256Symmetric (HMAC)Single-service auth, shared secret
RS256Asymmetric (RSA)Multi-service, public key verification
ES256Asymmetric (ECDSA)Compact keys, mobile/IoT

Common Pitfalls

  • Do not store sensitive data in the payload. The payload is only Base64URL-encoded, not encrypted — anyone can decode it.
  • Always verify the signature server-side. Never trust a JWT that hasn't been verified.
  • Set an expiry (exp). Without it, a stolen token is valid forever.
  • Beware of the alg: none attack. Libraries that accept unsigned tokens are vulnerable. Always specify the expected algorithm.
  • Revocation is hard. JWTs are stateless — you can't invalidate one without a blocklist. Use short expiries and refresh tokens for sensitive apps.

Try the tools: JWT Debugger to inspect, decode, and build tokens.

More Guides

Base64 Encoding Explained

Understand Base64 encoding: how the algorithm works, when to use it, and what padding means.

Unix Timestamps Explained

What epoch time is, why it is used, the Y2K38 problem, and how to convert in different languages.

Cron Expression Syntax: A Complete Guide

Master cron expressions: field breakdown, special characters, and common schedule examples.