Sign in

What is JWT? Complete Guide with Examples

3 min readdeveloper

JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, self-contained JSON object. A JWT consists of three Base64URL-encoded parts separated by dots: header.payload.signature. JWTs are widely used for authentication and authorization in web applications, enabling stateless session management where the server doesn't need to store session data.

Try It Yourself

Use our free JWT Decoder to experiment with json web tokens.

JWT Decoder

How Does JSON Web Tokens Work?

The header specifies the token type (JWT) and signing algorithm (HS256, RS256). The payload contains claims — statements about the user (sub, name, admin) and metadata (iss, exp, iat). The signature is created by encoding the header and payload, then signing with a secret key (HMAC) or private key (RSA/ECDSA). Verification involves recomputing the signature and comparing it to the token's signature. If they match, the payload hasn't been tampered with and was signed by the expected party.

Key Features

  • Three-part structure: Base64URL-encoded header, payload, and cryptographic signature
  • Stateless authentication — servers verify tokens without database lookups
  • Standard claims: iss (issuer), sub (subject), exp (expiration), iat (issued at), aud (audience)
  • Support for HMAC (symmetric) and RSA/ECDSA (asymmetric) signing algorithms
  • Compact format suitable for HTTP headers, URL parameters, and cookies

Common Use Cases

API Authentication

After login, the server issues a JWT. Clients include it in the Authorization header (Bearer token) of subsequent API requests. The server verifies the signature and extracts the user identity without database queries.

Single Sign-On (SSO)

JWTs enable SSO across multiple services. A user authenticates with one service and receives a JWT that other services in the ecosystem can verify and accept, using shared or published public keys.

Microservice Authorization

In microservice architectures, JWTs propagate user identity and permissions across service boundaries. Each service independently verifies the token's signature without calling the auth service.

Frequently Asked Questions

Related Guides

What is Base64 Encoding?What is JSON?What is Hashing?What is Password Security?

Related Tools

JWT Decoder
All GuidesAll Tools