What Is a JWT (JSON Web Token)?

Updated 2026-07-04 ยท By the MakeToolz team

Quick answer: A JWT, or JSON Web Token, is a signed token that proves who a user is between a server and an app. It has three parts joined by dots: a header, a payload, and a signature. The signature is what makes it trustworthy.

You see JWTs most often in logins and APIs. After you sign in, the server gives your app a JWT, and the app shows that token on every later request to prove it is still you. No password is sent again, and the server does not have to look you up each time.

The three parts of a JWT

A JWT is three chunks joined by dots, like header.payload.signature. Each part does one job:

The header and payload are just Base64-encoded JSON. Base64 is an encoding, not encryption, so anyone can decode those two parts and read them. The signature is the only part that requires a key.

What the claims inside a payload mean

The payload is a small JSON object full of claims. Some are standard and show up again and again:

Beyond those, an app can add its own claims, like a username, an email, or a permission level. That is how a server reads who you are straight from the token without a database trip.

How login uses a JWT

The flow is simple. You log in with your username and password once. The server checks them, then hands your app a JWT. From that point on, your app attaches the token to every request, usually in an Authorization header.

On each request, the server verifies the signature and reads the payload to know who you are and what you can do. Because everything it needs is inside the token, it does not have to query a user database every single time. That speed and independence is why JWTs are popular for logins, single sign-on, and APIs that spread across many services.

How to read a token

Since the first two parts are Base64 JSON, you can decode them to see exactly what a token carries. Paste a token into the free JWT Decoder and it splits out the header and payload in clean, readable JSON and turns the raw expiry timestamp into a normal date and time. That makes it easy to check what claims a token holds or why a login expired.

One important safety rule

Decoding a JWT is not the same as trusting it. Anyone can read a token's contents, because the header and payload are only encoded, not hidden. Only the signature proves the token is genuine and unchanged, and checking that signature needs the server's key. So never rely on a token's claims until your backend has verified the signature. Trusting a decoded payload without that check is a classic security mistake.

People Also Ask

Is a JWT encrypted?

Usually no. A standard JWT is signed, not encrypted, so its contents can be read by anyone who decodes the Base64. The signature stops tampering but does not hide the data. There is a separate encrypted form called JWE, but plain JWTs are readable, so never put secrets like passwords in the payload.

Can I decode a JWT without the secret key?

Yes. Reading the header and payload only needs Base64 decoding, which the JWT Decoder does instantly. The secret key is only required to verify the signature or to create a valid token, not to read what is inside one.

What does a JWT expiry mean?

The payload usually holds an "exp" claim, a timestamp for when the token stops being valid. After that moment the server rejects the token and the user has to log in again or use a refresh token to get a new one. Short expiry times limit the damage if a token is stolen.

Is it safe to paste a token into an online decoder?

Use a decoder that runs entirely in your browser, like ours, so the token is never uploaded to a server. Even then, avoid pasting real production tokens into any tool, since a live token can grant access until it expires. Test with sample or expired tokens when you can.

What is the difference between a JWT and a session cookie?

A session cookie stores a small ID, and the server keeps the real user data on its side. A JWT carries the user data inside the token itself, so the server does not need to store session state. JWTs scale well across many servers, while sessions are easier to revoke instantly.

Can a JWT be revoked before it expires?

Not easily on its own. Because a JWT is self-contained, a server that only checks the signature will accept it until the expiry time. To cancel a token early, apps use short expiry times plus a blocklist or a refresh-token system that can deny a token before it would naturally expire.

Why is my JWT signature invalid?

Common causes are a wrong or changed secret key, a mismatch between the algorithm in the header and the one the server expects, or a token that was altered after signing. Even a single changed character in the payload breaks the signature, which is exactly what the signature is meant to catch.

What does the "alg" in a JWT header do?

The "alg" field names the signing algorithm, such as HS256 or RS256. HS256 uses one shared secret, while RS256 uses a private key to sign and a public key to verify. Servers should reject a token whose algorithm does not match what they expect, since accepting any algorithm is a known vulnerability.

Want to see what a token really contains? Paste it into the free JWT Decoder to read the header and payload in clean JSON and turn the expiry into a readable date, all in your browser so nothing is uploaded.