What is JWT?
JWT (JSON Web Token) is a compact, self-contained token format used for securely transmitting information between parties. Learn what JWT is, how it works, and where it's used.
JWT is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. The token is digitally signed — using either HMAC with a secret key or RSA/ECDSA with a key pair — making it verifiable and trustworthy. JWTs are most commonly used for authentication and authorization in web applications.
JWT Structure
A JWT consists of three Base64URL-encoded parts separated by dots: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c • Header — algorithm & token type: {"alg": "HS256", "typ": "JWT"} • Payload — claims (data): {"sub": "1234", "name": "Alice", "iat": 1516239022} • Signature — HMACSHA256(base64(header) + "." + base64(payload), secret)
How JWT Authentication Works
1. User logs in with credentials 2. Server validates credentials and creates a JWT signed with a secret 3. Server sends the JWT to the client 4. Client stores the JWT (typically in localStorage or a cookie) 5. Client includes the JWT in the Authorization header for every request: Authorization: Bearer <token> 6. Server verifies the JWT signature — if valid, the request is authorized 7. No database lookup needed — the payload contains all the user info
JWT Claims
The payload contains claims — statements about the user and additional data: • Registered claims (standard): iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at) • Public claims: defined by JWT users, should be registered to avoid collisions • Private claims: custom claims for sharing information between parties Important: JWT payloads are only Base64-encoded, NOT encrypted. Anyone can decode and read the payload — never put sensitive data in a JWT payload.
Try it yourself
Decode Base64About JWT
JWT was introduced in 2010 and formally standardized in RFC 7519 (2015). It became widely adopted as a stateless alternative to session-based authentication — servers don't need to store session data because all information is in the token itself. The ecosystem includes JWS (JSON Web Signature), JWE (JSON Web Encryption), and JWK (JSON Web Key) standards.
FAQ
- What does JWT stand for?
- JWT stands for JSON Web Token.
- Is the JWT payload secure / private?
- No. The JWT payload is only Base64-encoded, which anyone can decode. It is NOT encrypted. JWT only guarantees that the data has not been tampered with (via the signature), not that it is private. For encrypted tokens, use JWE (JSON Web Encryption).
- What is the difference between JWT and a session cookie?
- A session cookie stores a session ID that the server looks up in a database. A JWT is self-contained — the server only needs to verify the signature. JWTs are stateless (no database needed) but cannot be invalidated without extra infrastructure, while session cookies can be invalidated instantly.
Related Tools
Date Calculator
Calculate the difference between two dates in days, weeks, months, and years
Percentage Calculator
Calculate percentages, discounts, increases, and percentage differences
Image Compressor
Compress and resize images to reduce file size while maintaining quality
JSON Formatter
Format and beautify JSON data with syntax highlighting