What Is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to transmit information between parties as a JSON object. JWTs are digitally signed — either using a secret key (HMAC algorithms like HS256) or a public/private key pair (RSA or ECDSA) — which means the information can be verified and trusted.
JWTs are used in authentication (proving who you are) and authorization (proving what you're allowed to do). After a user logs in, the server issues a JWT. The client stores this token and sends it with subsequent requests in the Authorization header. The server validates the token's signature and reads the claims to determine access rights — without needing to query the database on every request.
JWT Structure: Header, Payload, Signature
Header
Algorithm & token type
Payload
Claims & user data
Signature
Cryptographic verification
Common JWT Claims Explained
| Claim | Full Name | Type | Description |
|---|---|---|---|
| sub | Subject | string | Identifies the principal that is the subject of the JWT — typically a user ID. |
| iss | Issuer | string | Identifies the authentication server that issued the token. Usually a URL (e.g., https://auth.example.com). |
| aud | Audience | string | Identifies the recipients the JWT is intended for. Servers reject tokens where they're not in the audience. |
| exp | Expiration Time | integer | Unix timestamp after which the token must not be accepted. Essential for security — prevents token replay. |
| iat | Issued At | integer | Unix timestamp when the token was issued. Useful for determining token age and time-based policies. |
| nbf | Not Before | integer | Unix timestamp before which the token must not be accepted. Used for tokens issued in advance. |
| jti | JWT ID | string | Unique identifier for the JWT. Enables token blacklisting and prevents replay attacks. |
| alg | Algorithm | string | In the header — specifies the algorithm used to sign the token. E.g., HS256, RS256, ES256. |
| kid | Key ID | string | In the header — identifies which key from a JWKS (JSON Web Key Set) was used to sign the token. |
Security Reminder
JWT payloads are Base64URL encoded, not encrypted. Anyone with access to a JWT can read its contents simply by decoding it — exactly as this tool does. Never store passwords, API secrets, private keys, internal system paths, or sensitive personal information inside JWT payload claims. If a JWT is intercepted or leaked, all its claims are immediately readable without any key or password.
For sensitive data transmission, use JWE (JSON Web Encryption) or ensure tokens are only transmitted over TLS/HTTPS and expire quickly (short exp values).