Favorites

Dev Tools

Image Tools

InoTools Blog
Category:Tutorial

What is JWT? Understanding JSON Web Tokens

JWT is widely used for authentication in web apps and APIs. Learn how it works and how to inspect tokens safely.

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, digitally signed JSON token.

JWTs are primarily used for:

  • Authentication — After login, the server issues a JWT, and subsequent requests are verified using the token
  • Information Exchange — Since the signature detects tampering, trusted data exchange is possible
  • Authorization — User permissions can be embedded in the token for access control

JWT Structure

A JWT consists of three parts separated by dots (.):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

Specifies the signing algorithm and token type.

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

Contains user information and metadata (claims).

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Standard claims include:

  • sub — Subject
  • iat — Issued At
  • exp — Expiration Time
  • iss — Issuer
  • aud — Audience

3. Signature

The header and payload are combined and signed with a secret key. Used for tamper detection.

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Why Do You Need JWT?

Traditional session-based authentication requires the server to maintain session data. JWT solves several challenges:

  • Scalability issues — No session store needed, making horizontal server scaling easy
  • Microservice authentication — Each service can independently verify tokens
  • Mobile app integration — Authentication without cookie dependency

Benefits of JWT

  • Stateless authentication — No server-side session management; each request is verified by the token alone
  • Cross-domain support — Sent via the Authorization header, avoiding CORS restrictions
  • Compact — Small enough for URLs and HTTP headers, minimizing network overhead
  • Self-contained — The token itself contains user information, reducing database queries

How to Decode JWTs

JWT decoding is easy with our JWT Encoder / Decoder. All processing happens entirely in your browser—your tokens are never sent to any external server. Free with no registration required.

Decode JWTs instantly

How to Use the Tool

  1. Open the JWT Encoder / Decoder
  2. Paste a JWT token into the input field
  3. The header, payload, and signature are automatically decoded and displayed as formatted JSON
  4. Check the exp claim to verify the expiration time
  5. Optionally verify the signature

Frequently Asked Questions

Q. Is JWT encrypted?

A. Standard JWTs (JWS) are signed but not encrypted. The payload is readable by anyone via Base64URL decoding. Never include sensitive data in the payload. If encryption is needed, use JWE (JSON Web Encryption).

Q. Where can I check JWT expiration?

A. Check the exp (Expiration Time) claim in the payload. The value is a Unix timestamp (epoch seconds). You can convert it to a human-readable date with our Unix Timestamp Converter.

Q. Can JWT tokens be tampered with?

A. The payload contents can be modified, but a valid signature cannot be generated without the correct secret key. Server-side signature verification detects any tampering.

Related Terms

  • JWT (JSON Web Token) — A compact, self-contained token format. Standardized in RFC 7519
  • JWS (JSON Web Signature) — A signed JWT. The most common format
  • JWE (JSON Web Encryption) — An encrypted JWT. Protects payload confidentiality
  • Claims — Information in the token (user ID, permissions, expiration, etc.)
  • Signature — Mechanism to detect token tampering
  • Base64URL — URL-safe Base64 encoding used for each JWT segment

Related Pages

Back to all articles