Explainer1 min readUpdated June 25, 2026
JWT explained: how JSON Web Tokens work
Short answer
A JWT (JSON Web Token) is a compact token made of three Base64url-encoded parts separated by dots: a header, a payload of claims, and a signature. The signature lets a server confirm the token has not been tampered with.
The three parts
A JWT looks like header.payload.signature. The first two parts are JSON objects encoded with URL-safe Base64; the third is a cryptographic signature over the first two.
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3...}.K3f9-Qm2...- Header: the signing algorithm (
alg) and token type (typ). - Payload: the claims, such as
sub(subject),iat(issued at), andexp(expiry). - Signature: proves the header and payload were not changed after signing.
The payload is readable by anyoneA JWT is signed, not encrypted. The payload is only Base64url, so anyone holding the token can read it. Never put passwords or secrets in a JWT payload.
Decoding vs verifying
Decoding a JWT just Base64-decodes the header and payload so you can read them. Verifying is a separate step: the server recomputes the signature with its secret or public key and checks it matches, and confirms the token has not expired. A decoder should never be trusted as proof a token is valid.
Try it: JWT DecoderInspect a token's header and payload locally. It decodes without verifying or uploading the token.Open tool
Common claims
iss— who issued the tokensub— the subject, usually a user idaud— the intended audienceexp— expiry time, after which the token is rejectediat— when the token was issued