·
Igor Ilic
JWT tokens explained: encoding, decoding, and verification
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64url-encoded segments separated by dots:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9RodF0_eXf2DgThe three parts of a JWT
- Header — contains the token type and signing algorithm:
{"alg":"HS256","typ":"JWT"} - Payload — contains claims (data) about the user or session:
{"sub":"123","name":"John","iat":1516239022} - Signature — verifies the token has not been tampered with. Created by signing the header and payload with a secret key
Common JWT claims
| Claim | Name | Purpose |
|---|---|---|
sub | Subject | Unique user identifier |
iat | Issued at | Token creation timestamp |
exp | Expiration | Token expiry timestamp |
iss | Issuer | Who created the token |
aud | Audience | Intended recipient |
Security considerations
JWT payloads are Base64url-encoded, not encrypted. Anyone with the token can read the claims. Treat JWTs like HTTP cookies — do not store sensitive data in the payload without additional encryption.
Always validate the signature on the server side. Never trust a JWT that arrives without checking its authenticity.
Debug JWTs online
Use the Base64 encoder to inspect individual JWT segments. For offline verification, JWTs are best checked programmatically with your server's secret key.