Understanding JSON Web Tokens (JWT): A Complete Guide

jwtauthenticationsecurityjson

JSON Web Tokens (JWT) are a compact, URL-safe way to represent claims between two parties. They've become the standard for authentication in modern web applications.

What is a JWT?

A JWT consists of three parts separated by dots: Header.Payload.Signature

Header — specifies the token type and signing algorithm:

{


  "alg": "HS256",


  "typ": "JWT"


}

Payload — contains the claims (user data and metadata):

{


  "sub": "1234567890",


  "name": "John Doe",


  "email": "john@example.com",


  "role": "admin",


  "iat": 1516239022,


  "exp": 1516242622


}

Signature — ensures the token hasn't been tampered with.

When to Use JWT

  • Authentication — After login, issue a JWT that the client sends with each request

  • Information Exchange — Securely transmit data between parties

  • Single Sign-On (SSO) — Share authentication across multiple services

    • Common Claims

  • iss — Issuer of the token

  • sub — Subject (usually user ID)

  • aud — Audience (intended recipient)

  • exp — Expiration time

  • iat — Issued at time

  • nbf — Not before (token is invalid before this time)

    • Security Best Practices

  • Never store sensitive data in the payload — it's base64 encoded, not encrypted

  • Use strong secrets — at least 256-bit keys for HS256

  • Set short expiration times — typically 15 minutes for access tokens

  • Use HTTPS — always transmit tokens over encrypted connections

  • Validate all claims — check issuer, audience, and expiration

    • JWT vs Session Cookies

    JWT is stateless (server doesn't need to store session data), making it ideal for microservices. Session cookies are simpler for monolithic apps.

    Use our JSON Viewer to inspect and debug JWT payloads.

    Related Tools