Back to Blog
Blog Article

What is a JWT and how does it work? Complete Guide

Discover what JSON Web Tokens (JWT) are, their Header, Payload, and Signature structure, and how to use them securely for authentication.

SQ
SimpleQuickTools
Table of Contents

JSON Web Tokens (JWT) have become the de facto standard for safely transmitting information between parties as a JSON object. In this article, we’ll break down what they are, how they work, and why they are essential for modern authentication.

Introduction

If you’re a web developer, you’ve probably seen the term JWT (pronounced “jot”). It’s an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

The most common scenario for using JWT is authentication. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.

Structure of a JWT

A JWT is simply a long string of characters, separated by two dots (.) into three parts:

  • Header
  • Payload
  • Signature

Therefore, a JWT typically looks like this: xxxxx.yyyyy.zzzzz

1. Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Important note: The payload is only Base64 encoded, not encrypted. Do not put secret information (like passwords) in the payload, as anyone can decode it. You can use our JWT Inspector tool to see this in action.

3. Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

The signature is used to verify that the message wasn’t changed along the way.

When should you use JSON Web Tokens?

  • Authentication: This is the most common scenario. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.
  • Information Exchange: JWTs are a good way of securely transmitting information between parties. Because JWTs can be signed (for example, using public/private key pairs), you can be sure the senders are who they say they are.

Conclusion

JWTs are a powerful and flexible tool for modern web security. Understanding their structure and limitations is key to using them correctly.

Need to debug a token? Don’t forget to try our Free JWT Inspector.

Was this article helpful?

Share it with other developers or explore our tools.

Explore tools
Link copied to clipboard!
Read Next

HTTP Status Codes Explained: From 200 to 500

Read now →