What is a JWT token?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims (information) between two parties. JWTs are widely used for authentication — when you log in to a web application, the server often returns a JWT that your browser stores and sends with every request to prove you're authenticated.
JWT structure
A JWT consists of 3 parts separated by dots:
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIn0.signature
^HEADER^ ^PAYLOAD^ ^SIGNATURE^
Each part is Base64URL encoded.
Header
Contains the algorithm and token type:
{
"alg": "RS256",
"typ": "JWT"
}
Payload
Contains the claims (data):
{
"sub": "user123",
"email": "user@example.com",
"iat": 1712000000,
"exp": 1712086400
}
Signature
Verifies the token hasn't been tampered with. Cannot be verified without the secret key.
Common JWT claims explained
| Claim | Full name | Meaning |
|---|---|---|
sub |
Subject | User ID or identifier |
iat |
Issued At | When the token was created (Unix timestamp) |
exp |
Expiration | When the token expires (Unix timestamp) |
nbf |
Not Before | Token not valid before this time |
iss |
Issuer | Who created the token |
aud |
Audience | Who the token is intended for |
JWT security warnings
- Never paste production JWTs into any online tool — JWT tokens grant access to accounts
- JWTs are encoded, not encrypted — anyone can decode the payload
- The signature cannot be verified without the secret key
- Expired tokens should always be rejected by the server
How to decode JWT for free
- Go to JWT Decoder
- Paste your JWT token
- View decoded header and payload instantly
- Check expiry time in human-readable format
- Your token is never sent to any server