What is JWT?

JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using a cryptographic algorithm.

Quick Facts

Full NameJSON Web Token
Created2010 (standardized in RFC 7519 in 2015)
SpecificationOfficial Specification

How It Works

A JWT consists of three parts separated by dots: Header, Payload, and Signature. The Header typically contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256). The Payload contains the claims - statements about the user and additional metadata. The Signature is created by encoding the header and payload, then signing them with a secret key. JWTs are self-contained, meaning all necessary information is within the token itself, eliminating the need for database lookups during verification. Security best practices: Never store sensitive data (passwords, PII) in JWT payloads as they are only encoded, not encrypted. Use short expiration times and implement token refresh mechanisms. Validate the algorithm header to prevent 'none' algorithm attacks. Store tokens securely (HttpOnly cookies preferred over localStorage). Consider using JWE (JSON Web Encryption) for sensitive payloads.

Key Characteristics

  • Self-contained - carries all required information within the token
  • Compact - can be sent via URL, POST parameter, or HTTP header
  • Stateless authentication - server doesn't need to store session data
  • Digitally signed - integrity can be verified
  • Can be encrypted (JWE) for confidentiality
  • Has expiration time (exp claim) for security

Common Use Cases

  1. User authentication in web and mobile applications
  2. Single Sign-On (SSO) across multiple domains
  3. API authorization and access control
  4. Information exchange between services
  5. Stateless session management

Example

loading...
Loading code...

Frequently Asked Questions

Is JWT secure? Can it be decoded by anyone?

JWT payloads are Base64-encoded, not encrypted, so anyone can decode and read the contents. The signature ensures the token hasn't been tampered with, but doesn't hide the data. Never store sensitive information like passwords in JWT payloads. For confidential data, use JWE (JSON Web Encryption).

What happens when a JWT expires?

When a JWT expires (based on the 'exp' claim), it becomes invalid and should be rejected by the server. Users need to obtain a new token, typically by re-authenticating or using a refresh token. Implementing short expiration times with refresh tokens is a security best practice.

Where should I store JWT tokens in a web application?

The most secure option is HttpOnly cookies, which prevent JavaScript access and protect against XSS attacks. Avoid localStorage as it's vulnerable to XSS. If using localStorage is necessary, implement additional security measures like token fingerprinting and short expiration times.

What is the difference between HS256 and RS256 algorithms?

HS256 is a symmetric algorithm using a single secret key for both signing and verification, suitable for scenarios where the same party signs and verifies. RS256 is asymmetric, using a private key to sign and a public key to verify, ideal for distributed systems where multiple services need to verify tokens without knowing the signing key.

How do I invalidate or revoke a JWT before it expires?

JWTs are stateless by design, making immediate revocation challenging. Common approaches include: maintaining a token blacklist in a database or cache (like Redis), using short expiration times with refresh tokens that can be revoked, or implementing token versioning at the user level.

Related Tools

JWT Generator

Free online JWT generator and bearer token creator. Generate secure JWT secret keys, create and decode JSON Web Tokens with HS256, HS384, HS512 algorithms.

Base64 Encoder/Decoder

Free online Base64 encoder and decoder. Encode text and images to Base64, decode Base64 to text and images. Supports UTF-8, file to Base64, data URI generation. Fast, secure, and easy to use.

Related Terms

JSON

JSON (JavaScript Object Notation) is a lightweight, text-based data interchange format that is easy for humans to read and write, and easy for machines to parse and generate. It is based on a subset of JavaScript syntax but is language-independent.

Base64

Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string format by translating it into a radix-64 representation. It uses 64 printable characters (A-Z, a-z, 0-9, +, /) to encode binary data.

OAuth

OAuth (Open Authorization) is an open standard authorization protocol that allows users to grant third-party applications limited access to their resources without sharing their credentials. It enables secure delegated access through access tokens.

Bearer Token

Bearer Token is an access token type used in HTTP authentication where the client presents a token to access protected resources. The term 'bearer' means that any party holding the token can use it to access the resource, without needing additional proof of identity.

Related Articles

JWT Principles & Applications Complete Guide【2026】- JSON Web Token Best Practices

Master JWT principles, structure, and security practices. Includes complete code examples in JavaScript, Python, Java covering API authentication, refresh tokens, secure storage. Start implementing JWT best practices now!

2024-07-26

JWT Secret Key Generator Guide【2026】- How to Generate Secure JWT Secrets

Learn how to generate secure JWT secret keys. Complete guide covering key length requirements, cryptographic randomness, HS256/HS384/HS512 algorithms, and best practices for JWT secret key generation.

2026-01-25

Base64 Encoding & Decoding Guide【2026】- Free Online Encoder with Code Examples

Master Base64 encoding and decoding with practical examples in JavaScript, Python, and Java. Free online Base64 encoder tool. Learn data URLs, JWT, HTTP authentication, and best practices.

2024-01-15