What is a JWT?
A JSON Web Token is a string that contains encoded data, typically used for authentication. It has three parts separated by dots: header, payload, and signature.
When you log into a website and stay logged in, there's often a JWT involved. The server creates one, hands it to your browser, and your browser sends it back with every request to prove who you are.
Despite what the name suggests, the data inside isn't encrypted—it's just base64 encoded. Anyone can read it. The signature just proves it hasn't been tampered with.
Example
Here's what a JWT looks like:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoded, the payload contains:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
The three parts:
- Header - Algorithm and token type (
HS256,JWT) - Payload - Your actual data (claims)
- Signature - Proof the token wasn't modified
Where You'll See This
- Authorization headers (
Bearer <token>) - OAuth 2.0 and OpenID Connect flows
- Single sign-on (SSO) systems
- API authentication
- Session management in SPAs
Common Gotchas
JWTs are not encrypted by default. Don't store secrets, passwords, or sensitive data in them. Anyone with the token can decode and read the payload.
- Can't be invalidated easily - Once issued, a JWT is valid until it expires. You need extra infrastructure (like a blocklist) to revoke them early.
- The
expclaim is a Unix timestamp - It's seconds since 1970, not a date string. A common bug is comparing it wrong. - Size matters - JWTs can get large. Every request carries the full token, which adds up.
- Pronunciation - It's "jot" (yes, really). Though most people just say "J-W-T".
Try It
Decode a JWT"A JWT is like a wristband at a concert—it proves you paid, but everyone can see what's written on it."