What is JWT? Complete Guide to JSON Web Tokens
What is a JSON Web Token (JWT)?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It's compact, URL-safe, and self-contained, making it perfect for authentication and information exchange.
JWT Structure: Three Parts
A JWT consists of three parts separated by dots (.):
xxxxx.yyyyy.zzzzzHEADER.PAYLOAD.SIGNATURE1. Header
Contains metadata about the token, including type and signing algorithm:
{
"alg": "HS256",
"typ": "JWT"
}2. Payload
Contains the claims (statements about the user and additional data):
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022,
"exp": 1516242622
}3. Signature
Used to verify the token hasn't been tampered with:
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)Standard JWT Claims
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Who created the token |
sub | Subject | User ID/identifier |
aud | Audience | Who the token is intended for |
exp | Expiration | When the token expires (timestamp) |
nbf | Not Before | Token not valid before this time |
iat | Issued At | When the token was created |
jti | JWT ID | Unique token identifier |
How JWT Authentication Works
- Login: User sends credentials to server
- Token Generation: Server validates credentials and creates JWT
- Token Storage: Client stores JWT (usually in localStorage or httpOnly cookie)
- API Requests: Client sends JWT in Authorization header
- Verification: Server verifies signature and extracts user info
- Response: Server processes request and returns data
Signing Algorithms
HMAC (Symmetric)
- HS256: HMAC with SHA-256 (most common)
- HS384: HMAC with SHA-384
- HS512: HMAC with SHA-512
RSA (Asymmetric)
- RS256: RSA with SHA-256
- RS384: RSA with SHA-384
- RS512: RSA with SHA-512
JWT Best Practices
Security Tips:
- Always use HTTPS in production
- Set short expiration times (15-30 minutes)
- Use strong secret keys (min 256 bits for HS256)
- Validate all claims (iss, aud, exp)
- Never store sensitive data in JWT payload
- Don't use "none" algorithm in production
JWT vs Session-Based Auth
| Feature | JWT | Session |
|---|---|---|
| Storage | Client-side | Server-side |
| Scalability | Excellent (stateless) | Harder (needs shared storage) |
| Size | Larger | Smaller (just session ID) |
| Revocation | Difficult | Easy |
Common Use Cases
- Single Sign-On (SSO): Share authentication across multiple domains
- Mobile Apps: Stateless authentication for mobile clients
- Microservices: Pass user context between services
- API Authentication: Secure REST API endpoints
Try It Yourself
Decode and verify JWT tokens with our free online tools:
Conclusion
JWT is a powerful standard for stateless authentication. Its self-contained nature makes it perfect for modern distributed systems, but proper security practices are essential. Always validate tokens, use strong secrets, and set appropriate expiration times.