JSON Web Tokens (JWTs) have become the standard for authentication in modern web applications and APIs. Understanding how they work is essential for developers building secure applications and security professionals analyzing authentication systems.
What Is a JWT?
A JWT is a compact, URL-safe token format that securely transmits information between parties as a JSON object. The information can be verified and trusted because it's digitally signed.
JWTs are commonly used for:
- Authentication: After login, each subsequent request includes the JWT, allowing access to routes, services, and resources
- Information exchange: JWTs can securely transmit information between parties because they're signed
JWT Structure
A JWT consists of three parts separated by dots: header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
The header typically contains the token type (JWT) and the signing algorithm:
{
"alg": "HS256",
"typ": "JWT"
}
Payload
The payload contains claims---statements about the user and additional metadata:
{
"sub": "1234567890",
"name": "John Doe",
"email": "[email protected]",
"role": "admin",
"iat": 1516239022,
"exp": 1516242622
}
Registered claims are predefined:
iss(issuer): Who issued the tokensub(subject): Who the token is about (usually user ID)aud(audience): Who the token is intended forexp(expiration): When the token expiresiat(issued at): When the token was creatednbf(not before): Token not valid before this time
Custom claims can include any data you need, like user roles or permissions.
Signature
The signature verifies the token wasn't tampered with:
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)
How JWT Authentication Works
- User logs in with credentials
- Server validates credentials and generates a JWT
- JWT is returned to the client (stored in localStorage, sessionStorage, or cookie)
- Client includes JWT in the Authorization header for subsequent requests
- Server validates JWT signature and grants access
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Signing Algorithms
Symmetric algorithms (HS256, HS384, HS512) use the same secret key to sign and verify. Simple but requires secure key distribution.
Asymmetric algorithms (RS256, RS384, RS512, ES256) use a private key to sign and a public key to verify. Better for distributed systems where multiple services need to verify tokens.
JWT Security Best Practices
Set Short Expiration Times
JWTs can't be revoked once issued. Short expiration times (15 minutes to 1 hour) limit the window of vulnerability if a token is compromised.
Use HTTPS Only
JWTs are credentials. Always transmit them over HTTPS and set the Secure cookie flag if storing in cookies.
Don't Store Sensitive Data in Payload
The payload is only base64-encoded, not encrypted. Anyone can decode and read it. Never include passwords, API keys, or sensitive personal data.
Validate Everything
Always verify:
- The signature is valid
- The token hasn't expired (
exp) - The issuer is correct (
iss) - The audience is correct (
aud)
Use Strong Secrets
For HMAC algorithms, use secrets at least 256 bits long. Generate them securely---never use simple phrases.
Common JWT Vulnerabilities
Algorithm confusion: Attackers change alg to none or switch from RS256 to HS256 using the public key as the secret. Always explicitly specify allowed algorithms when verifying.
Missing signature validation: Never skip signature verification. A token without validation is just a base64 string anyone can create.
Token sidejacking: If tokens are stored insecurely (accessible via XSS), attackers can steal them. Use HttpOnly cookies or secure storage.
Long expiration times: Tokens valid for days or weeks give attackers a large window to use stolen tokens.
When to Use JWTs
Good use cases:
- Stateless authentication across multiple services
- Single sign-on (SSO)
- Short-lived access tokens
- Mobile app authentication
Consider alternatives when:
- You need to revoke tokens immediately
- Sessions are long-lived
- You're only authenticating with one server
Decode and Inspect JWTs
Use our JWT Decoder to:
- Decode any JWT without the secret
- View header and payload claims
- Check expiration status
- Identify the signing algorithm
The decoder runs entirely in your browser---your tokens are never sent to any server.
Key Takeaways
- JWTs have three parts: header, payload, and signature
- The payload is encoded, not encrypted---don't store secrets
- Always validate signatures and expiration
- Use short expiration times since JWTs can't be revoked
- Choose the right signing algorithm for your architecture
JWTs provide a powerful, flexible authentication mechanism when implemented correctly. Understanding their structure and security implications is essential for building secure applications.