JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. They are widely used for authentication and information exchange in modern web applications.

JWT Structure

A JWT consists of three parts separated by dots:

Header — contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256)

Payload — contains the claims (user data, permissions, expiration)

Signature — verifies the token hasn't been tampered with

Common Claims

sub — Subject (usually user ID)

iat — Issued At (timestamp)

exp — Expiration Time (timestamp)

iss — Issuer

aud — Audience

How JWT Authentication Works

User logs in with credentials

Server validates credentials and generates a JWT

JWT is sent back to the client

Client stores JWT (typically in localStorage or httpOnly cookie)

Client includes JWT in Authorization header for subsequent requests

Server validates JWT signature and extracts user data

Security Best Practices

Always use HTTPS to transmit JWTs

Set short expiration times and use refresh tokens

Store tokens in httpOnly cookies when possible

Never store sensitive data in the payload (it's Base64 encoded, not encrypted)

Validate the iss and aud claims on the server

Use strong signing algorithms (RS256 over HS256 for distributed systems)

Use our JWT Decoder to inspect the contents of any JWT token.

JWT Authentication Explained — How JSON Web Tokens Work

JWT Structure

Common Claims

How JWT Authentication Works

Security Best Practices

Related Articles

Base64 Encoding Explained — Why and How It Works

Password Security Best Practices for Developers in 2026