Understanding JWT Tokens: Structure, Encoding, and Security
2026-03-15
JSON Web Tokens (JWT) are the standard way to pass authentication and authorization data between services. A JWT is a compact, URL-safe string with three parts separated by dots: header, payload, and signature.
JWT Structure
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4iLCJpYXQiOjE1MTYyMzkwMjJ9.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c- Header: Algorithm (HS256, RS256) and token type. Base64url-encoded.
- Payload: Claims—user ID, expiration, roles. Base64url-encoded (NOT encrypted).
- Signature: HMAC or RSA signature of header + payload. Prevents tampering.
Common JWT Claims
| Claim | Description | Example |
|---|---|---|
| sub | Subject (user ID) | "user_123" |
| iat | Issued at (timestamp) | 1709510400 |
| exp | Expiration (timestamp) | 1709596800 |
| iss | Issuer | "auth.example.com" |
| aud | Audience | "api.example.com" |
Security Best Practices
- Always verify the signature server-side. Never trust a JWT without validation.
- Set short expiration times (15-60 minutes) and use refresh tokens for longer sessions.
- Don't store sensitive data in the payload. JWTs are encoded, not encrypted—anyone can decode them.
- Use RS256 for distributed systems where multiple services verify tokens.
- Store in httpOnly cookies rather than localStorage to prevent XSS attacks.
Decode and Encode JWTs Online
Use our JWT Decoder to paste any JWT and see header, payload, and signature separated and decoded. For creating JWTs, try JWT Encoder.
Need to generate secure secrets for JWT signing? Use Secure Token Generator for random hex/Base64 keys. For timestamp conversion in exp/iat claims, use Epoch Converter. Browse all Parsers for cURL, URL, regex, and more.