A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. It consists of three Base64URL-encoded parts separated by dots: a header, a payload, and a signature.

How do I decode a JWT token?

Use the free JWT Decoder at jsonwebtools.com. Paste your JWT token and it instantly shows the decoded header, payload, and signature. You can also use atob() in JavaScript to decode the Base64URL parts manually.

JWT is safe when used correctly. Common mistakes include storing JWTs in localStorage (use httpOnly cookies instead), using weak secrets, not validating expiration, and using the 'none' algorithm. Always verify the signature on the server side.

What is the difference between JWT and session tokens?

Session tokens are opaque random strings stored server-side in a database. JWTs are self-contained tokens that include all claims and are verified using a signature — no database lookup needed. JWTs are stateless and scale horizontally; session tokens are stateful.

Home › Blog › JWT Tutorial

JWT Tutorial: What is a JSON Web Token and How Does It Work?

Published March 5, 2026 • 10 min read

JWT is the most widely used token format for API authentication. This tutorial explains the structure, how signatures work, and how to decode and verify JWTs — with no fluff.

Decode a JWT Now →

What is a JWT?

JWT stands for JSON Web Token. It is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object.

A JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzQwOTg3MjAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Three parts separated by dots (.): Header . Payload . Signature

JWT Structure: Header, Payload, Signature

1. Header

The header specifies the token type and signing algorithm. It is Base64URL encoded.

{
  "alg": "HS256",
  "typ": "JWT"
}

alg is the algorithm: HS256 (HMAC-SHA256), RS256 (RSA), ES256 (ECDSA). typ is always JWT.

2. Payload (Claims)

The payload contains the claims — statements about the user and additional metadata. Also Base64URL encoded.

{
  "sub": "1234567890",
  "name": "Alice",
  "email": "alice@example.com",
  "role": "admin",
  "iat": 1740987200,
  "exp": 1741073600
}

Standard claims: sub (subject/user ID), iat (issued at), exp (expiration), iss (issuer), aud (audience).

Important: The payload is only encoded, not encrypted. Anyone can read it. Never put passwords or sensitive data in a JWT payload.

3. Signature

The signature verifies the token has not been tampered with. It is computed as:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Only parties that know the secret (or the private key for RS256) can create valid tokens. Anyone can verify the signature using the public key.

How JWT Authentication Works

User logs in with username and password
Server validates credentials, creates a JWT signed with a secret/private key
Server sends the JWT to the client
Client stores the JWT (ideally in an httpOnly cookie)
Client sends the JWT in the Authorization: Bearer <token> header on every request
Server verifies the signature and reads the claims — no database lookup needed
If the token is expired or the signature is invalid, the request is rejected

How to Decode a JWT

Since the header and payload are Base64URL encoded (not encrypted), you can decode them without the secret:

In JavaScript:

function decodeJWT(token) {
  const [header, payload] = token.split('.');
  const decode = str => JSON.parse(atob(str.replace(/-/g, '+').replace(/_/g, '/')));
  return {
    header: decode(header),
    payload: decode(payload)
  };
}

const decoded = decodeJWT('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...');
console.log(decoded.payload.name); // "Alice"

Or use the free JWT Decoder tool — paste your token and instantly see the decoded header, payload, claims, and expiry time.

JWT Signing Algorithms

Algorithm	Type	Use Case
HS256	Symmetric (shared secret)	Single server, simple apps
RS256	Asymmetric (RSA key pair)	Microservices, third-party verification
ES256	Asymmetric (ECDSA)	High-security apps, smaller key size
none	No signature	Never use in production

Common JWT Security Mistakes

Storing JWT in localStorage - Vulnerable to XSS attacks. Use httpOnly, Secure cookies instead.
Not checking expiration - Always validate the exp claim server-side. A decoded token does not mean it is valid.
Using weak secrets - HS256 secrets should be at least 256 bits (32 random bytes). Never use dictionary words.
Accepting the "none" algorithm - Some old libraries accepted alg: "none" which bypasses signature verification. Always whitelist allowed algorithms.
Storing sensitive data in payload - Payload is readable by anyone with the token. Only store non-sensitive claims like user ID and roles.
No token revocation strategy - JWTs cannot be invalidated before expiry. Use short expiration times (15 minutes) and refresh tokens for revocability.

Frequently Asked Questions

What is the difference between JWT and OAuth?

OAuth is an authorization framework that defines how applications can obtain limited access to user accounts. JWT is a token format. OAuth commonly uses JWTs as its access tokens, but OAuth can also use opaque tokens. They are complementary, not competing.

How long should a JWT be valid?

Access tokens should expire in 15 minutes to 1 hour. Use refresh tokens (longer-lived, stored in httpOnly cookies) to silently issue new access tokens. Short expiry limits the damage if a token is stolen.

Can I use JWT without HTTPS?

No. JWT tokens must be transmitted over HTTPS. Over plain HTTP, tokens can be intercepted by a man-in-the-middle attack. Always use TLS in production.

Where can I decode a JWT for debugging?

Use the JWT Decoder at JSON Web Tools. Unlike jwt.io, your token is decoded entirely in your browser and never sent to any server, making it safe to use with real tokens during debugging.

Decode your JWT instantly

Free, private, runs entirely in your browser. No data sent to servers.

Open JWT Decoder →

Also read: JSON vs XML | JSON Schema Tutorial | How to Validate JSON