A JWT (JSON Web Token) is a compact, URL-safe token that encodes a set of claims as a JSON object. It consists of three Base64URL-encoded parts separated by dots: header, payload, and signature.

JWTs are most commonly used for authentication (storing user identity after login) and authorisation (proving a user has permission to access a resource). They are passed in the Authorization header as a Bearer token.

What is a JWT? JSON Web Token Explained

Q: Is a JWT encrypted?

By default, JWTs are signed but not encrypted. The payload is Base64URL-encoded and readable by anyone. The signature only proves the token has not been tampered with. Use JWE (JSON Web Encryption) if you need to hide the payload.

Definition

JWT stands for JSON Web Token (pronounced "jot"). It is an open standard (RFC 7519) for transmitting information between parties as a JSON object. The information is verified and trusted because it is digitally signed.

Structure

A JWT looks like this: xxxxx.yyyyy.zzzzz

It has three parts, separated by dots:

Header — specifies the token type (JWT) and the signing algorithm (e.g., HS256, RS256). Base64URL-encoded.
Payload — contains the claims: statements about the user and any additional data. Base64URL-encoded. Not encrypted by default — anyone can read it.
Signature — produced by signing the encoded header and payload with a secret or private key. Used to verify the token hasn't been altered.

Common Claims

sub — subject (who the token is about, e.g. a user ID)
iss — issuer (who issued the token)
exp — expiration time (Unix timestamp)
iat — issued at (when the token was created)
roles, email — custom claims added by the application

How Authentication Works with JWTs

User logs in with credentials.
Server verifies credentials and issues a signed JWT.
Client stores the JWT (usually in memory or localStorage).
On each subsequent request, client sends the JWT in the Authorization: Bearer <token> header.
Server verifies the signature without hitting the database — the token is self-contained.

Is a JWT Encrypted?

No, by default. The payload is Base64URL-encoded, which is readable by anyone. The signature only proves the token hasn't been modified. If you need to hide the payload, use JWE (JSON Web Encryption).

Decode and inspect a JWT payload instantly: Open JWT Decoder →

Frequently Asked Questions

Is a JWT the same as a session token?

Not exactly. Traditional session tokens are opaque IDs that the server looks up in a database. JWTs are self-contained — the server validates the signature locally without a database lookup, making them better suited to stateless APIs.

Where should I store a JWT?

The safest option is in memory (a JavaScript variable). Storing in localStorage makes it accessible to JavaScript and vulnerable to XSS. Storing in an HttpOnly cookie protects from XSS but requires CSRF protection.

What does "Bearer token" mean?

"Bearer" means whoever holds (bears) the token is authorised. The token is sent in the HTTP header: Authorization: Bearer <jwt>.

Can I decode a JWT without the secret?

Yes — the header and payload are just Base64URL-encoded. You can read them without the secret. However, you cannot verify the signature without the secret or public key.

Related Terms

Base64 — The encoding used for JWT headers and payloads.
Hash Functions — Used in HMAC signing algorithms like HS256.
JSON — The data format that JWT payloads are built on.

What is a JWT (JSON Web Token)?