DailyUtil LogoDailyUtil Daily Utilities
JWT Tokens Explained: How JSON Web Tokens Work
Back to Articles
Security

JWT Tokens Explained: How JSON Web Tokens Work

A developer's guide to JSON Web Tokens (JWT). Learn the structure, how signing works, common security pitfalls, and when to use JWTs in your applications.

DailyUtil Team May 18, 2026 1 min read 0 words
JWT Tokens Explained: How JSON Web Tokens Work

What Is a JWT?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format used to represent claims between two parties. JWTs are the backbone of modern authentication - used by OAuth 2.0, OpenID Connect, and countless APIs.

JWT Structure

A JWT consists of three parts separated by dots:

xxxxx.yyyyy.zzzzz
  ↓       ↓       ↓
Header  Payload  Signature

1. Header

The header specifies the token type and signing algorithm:

{
  "alg": "HS256",
  "typ": "JWT"
}

This is Base64url-encoded to form the first segment.

2. Payload

The payload contains claims - statements about the user and metadata:

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "email": "jane@example.com",
  "iat": 1716192000,
  "exp": 1716278400
}

Standard claims include:

  • iss - Issuer
  • sub - Subject (usually user ID)
  • aud - Audience
  • exp - Expiration time (Unix timestamp)
  • iat - Issued at
  • nbf - Not valid before

3. Signature

The signature is created by signing the encoded header + payload with a secret:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

How JWT Authentication Works

  1. User logs in with credentials (email/password)
  2. Server validates and creates a JWT with user claims
  3. JWT is returned to the client (stored in cookie or localStorage)
  4. Client sends JWT with each request in the Authorization header
  5. Server verifies the signature and reads claims from the payload
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

JWT Security Best Practices

Always verify the signature

Never trust a JWT payload without verifying its signature. An attacker can modify the payload and re-encode it.

Set short expiration times

Use exp claims aggressively. Access tokens should expire in 15–60 minutes. Use refresh tokens for session continuity.

Use HTTPS only

JWTs are not encrypted by default - they're just encoded. Always transmit over HTTPS.

Don't store sensitive data in the payload

The payload is Base64url-encoded, not encrypted. Anyone can decode it. Never put passwords, credit card numbers, or secrets in a JWT payload.

Beware the alg: "none" attack

Some JWT libraries accept "alg": "none", which skips signature verification entirely. Always validate that the algorithm matches what you expect.

JWTs vs Session Cookies

FeatureJWTSession Cookie
StorageClient-sideServer-side
Scalability✅ Stateless❌ Requires session store
Revocation❌ Hard (needs blocklist)✅ Delete from store
SizeLarger (self-contained)Smaller (just session ID)

Inspect Your JWTs

Use our JWT Decoder to paste any JWT, see its decoded header and payload, and verify the token structure - all in your browser with no data leaving your machine.

Related Topics

JWTAuthenticationSecurityAPIOAuth

Share this article

LinkedIn Twitter
Back to All Articles
← PreviousBase64 Encoding Explained: How It Works and When to Use ItNext →Cron Expressions Explained: Scheduling Tasks Like a Pro