What is JWT? — JSON Web Tokens Explained
Definition
JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact, URL-safe way to transmit information between parties as a JSON object. The information is digitally signed, making it verifiable and trustworthy. JWTs are commonly used for authentication, authorization, and secure information exchange in web applications and APIs.
JWT Structure
A JWT consists of three parts separated by dots:
header.payload.signature
1. Header
Contains the token type and signing algorithm:
{
"alg": "HS256",
"typ": "JWT"
}2. Payload
Contains claims about the user and metadata:
{
"sub": "1234567890",
"name": "Jane Doe",
"role": "admin",
"iat": 1516239022,
"exp": 1516242622
}3. Signature
Created by signing the encoded header + payload with a secret key:
HMACSHA256(
base64urlEncode(header) + "." +
base64urlEncode(payload),
secret
)
How JWT Authentication Works
- User logs in with credentials (email + password)
- Server validates credentials and creates a signed JWT
- Server returns the JWT to the client
- Client stores the JWT (localStorage, sessionStorage, or cookie)
- Client sends JWT in
Authorization: Bearer <token>header with requests - Server verifies the JWT signature and processes the request
Common JWT Claims
| Claim | Name | Purpose |
|---|---|---|
sub |
Subject | User identifier |
iss |
Issuer | Token issuer |
aud |
Audience | Intended recipient |
exp |
Expiration | Token expiry timestamp |
nbf |
Not Before | Token validity start |
iat |
Issued At | Token creation time |
jti |
JWT ID | Unique token identifier |
Signing Algorithms
| Algorithm | Type | Key | Use Case |
|---|---|---|---|
| HS256 | Symmetric | Shared secret | Single service |
| RS256 | Asymmetric | Public/private key pair | Microservices |
| ES256 | Asymmetric | ECDSA key pair | High security |
Security Best Practices
- Always use HTTPS to prevent token interception
- Set short expiration times (15-60 minutes for access tokens)
- Validate all claims (
exp,iss,aud) server-side - Never store sensitive data in the payload (it's encoded, not encrypted)
- Use strong secrets (256+ bits for HS256, 2048+ bits for RS256)
- Implement token revocation for compromised tokens
LangStop JWT Tools
- JWT Decoder — Decode and inspect JWT tokens
- JWT Encoder — Create and sign JWT tokens