What Is a JWT Token?
JWT (JSON Web Token) is an open standard (RFC 7519) for transmitting claims between parties as a compact, self-contained token. When you log into a web application, the server often returns a JWT instead of a session cookie. The client stores this token and includes it in subsequent requests — the server verifies the token without querying a database, making authentication stateless and scalable.
A JWT consists of three base64url-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm. The payload contains the claims (user data). The signature proves the token was issued by a trusted party with knowledge of the secret key.
JWT Structure — Full Breakdown
Example JWT (line breaks added for readability):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJSYWh1bCIsImlhdCI6MTcwMDAwMDAwMH0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoded header: {"alg": "HS256", "typ": "JWT"}
Decoded payload: {"sub": "user_123", "name": "Rahul", "iat": 1700000000}
Signature: [verifies with server's secret key - cannot be decoded without it]Standard JWT Claims — Reference
| Claim | Full Name | Type | Description |
|---|
| iss | Issuer | String | Who created the token (e.g. "auth.myapp.com") |
| sub | Subject | String | Who the token is about (usually user ID) |
| aud | Audience | String/Array | Who the token is intended for |
| exp | Expiration Time | Number | Unix timestamp — token invalid after this |
| nbf | Not Before | Number | Unix timestamp — token invalid before this |
| iat | Issued At | Number | Unix timestamp when token was created |
| jti | JWT ID | String | Unique identifier for this specific token |
| name | Name | String | User's full name (non-standard but common) |
| email | Email | String | User's email (non-standard but common) |
| role | Role | String | User permission level (non-standard but common) |
JWT Security Best Practices
⚠️ Never paste a real JWT from a production system into any public online tool — even this one. Use test tokens or tokens from development environments for debugging. Production JWTs contain user identity data and — in some systems — elevated permissions.
- Set short expiration times (15 minutes for access tokens, 7–30 days for refresh tokens)
- Use asymmetric algorithms (RS256, ES256) in production rather than HS256
- Validate the
aud claim to ensure the token is intended for your service - Store JWTs in memory (not localStorage) to prevent XSS attacks
- Implement token rotation — issue a new access token when the refresh token is used
- Maintain a token revocation list for high-security applications
What is the difference between JWT and a session cookie?
A session cookie contains only an opaque ID — the server looks up the associated session data in a database on every request. A JWT is self-contained — the server verifies it cryptographically without a database query. JWTs are stateless (easier to scale across multiple servers); session cookies are stateful (easier to revoke immediately).
Can I decode a JWT without the secret key?
Yes — the header and payload are just base64url encoded, not encrypted. Anyone can decode them. This is why JWTs should never contain sensitive data (passwords, credit card numbers, SSNs). The signature requires the secret key to verify, but the data is readable by anyone with the token.
My JWT says it is expired but I just received it. Why?
The most common cause is a timezone or clock synchronisation issue. The server generating the token and the system checking expiry may have clocks that disagree. Another cause: the token has a very short expiry (15 minutes) and was delayed in transit or cached by a proxy.
What is the difference between HS256 and RS256?
HS256 (HMAC-SHA256) uses a single shared secret key — anyone with the key can both create and verify tokens. RS256 (RSA-SHA256) uses a public-private key pair — only the private key can create tokens, but anyone with the public key can verify them. RS256 is better for systems where you want to share token verification with third parties without sharing the ability to create tokens.