What is JWT (JSON Web Token)?
JSON Web Token (JWT) is an open standard (RFC 7519) used to securely transmit information between parties as a JSON object. It is widely used in modern web applications for authentication, authorization, and secure API communication.
JWTs are compact, URL-safe, and self-contained, which makes them ideal for stateless systems such as REST APIs, microservices, and cloud-native applications.
Why JWT Is Used
Traditional session-based authentication requires the server to store session state. This becomes difficult to scale in distributed systems.
JWT solves this problem by allowing the server to issue a signed token that contains all the required user information. The server can then verify the token on each request without maintaining session state.
- Stateless authentication
- Easy horizontal scaling
- Works well with APIs and microservices
- Language and platform independent
JWT Structure Explained
A JWT consists of three parts, separated by dots (.):
header.payload.signature
1. Header
The header contains metadata about the token, such as the signing algorithm and token type.
{
"alg": "HS256",
"typ": "JWT"
}
The alg field indicates how the token is signed (for example, HS256 or RS256).
2. Payload (Claims)
The payload contains claims, which are statements about the user or the token itself.
There are three types of claims:
- Registered claims –
sub,exp,iat,iss - Public claims – shared application-specific fields
- Private claims – custom fields defined by your application
{
"sub": "user-123",
"role": "admin",
"iat": 1700000000,
"exp": 1700003600
}
Important: JWT payloads are Base64-encoded, not encrypted. Anyone can decode them.
3. Signature
The signature ensures the integrity of the token. It is created using:
- The encoded header
- The encoded payload
- A secret key or private key
If any part of the token is modified, signature verification will fail.
How JWT Authentication Works
A typical JWT-based authentication flow looks like this:
- User logs in with username and password
- Server validates credentials
- Server issues a signed JWT
- Client stores the JWT securely
- Client sends JWT with each request
- Server verifies JWT and authorizes access
The token is usually sent in the HTTP header:
Authorization: Bearer <jwt_token>
Common JWT Use Cases
- User authentication in REST APIs
- Authorization between microservices
- Single Sign-On (SSO)
- OAuth 2.0 access tokens
- Mobile and SPA authentication
JWT vs Session-Based Authentication
| Aspect | JWT | Session |
|---|---|---|
| State | Stateless | Stateful |
| Scalability | High | Lower |
| Storage | Client-side | Server-side |
| Revocation | Difficult | Easy |
Advantages of JWT
- Stateless and scalable
- Self-contained token
- Works well with microservices
- No server-side session storage
Disadvantages and Limitations
- Cannot be easily revoked
- Token size is larger
- Improper storage can lead to security issues
JWT Security Best Practices
- Always use HTTPS
- Keep tokens short-lived
- Never store sensitive data in payload
- Verify signature and algorithm on server
- Use HttpOnly cookies when possible
JWTs should be treated as credentials. If compromised, they allow access until they expire.
Common JWT Mistakes
- Assuming JWT is encrypted
- Using long expiration times
- Storing JWT in localStorage
- Skipping signature verification
Who Should Use JWT?
JWT is suitable for:
- API-driven applications
- Microservice architectures
- Mobile and SPA frontends
- Cloud-native systems
For simple server-rendered applications, session-based authentication may still be a better choice.
Inspect a JWT
Use our JWT Decoder tool to decode and inspect JWT headers and payloads instantly.