What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format for representing claims (assertions) between two parties. Defined by RFC 7519, JWTs are the standard mechanism for authentication tokens, API authorization, and secure information exchange in modern web applications.
JWT Structure
A JWT consists of three Base64URL-encoded parts separated by dots:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzAwMDAwMDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
{
"alg": "HS256",
"typ": "JWT"
}
Specifies the token type (JWT) and the signing algorithm (HS256 = HMAC-SHA256).
Payload (Claims)
{
"sub": "user123",
"name": "Alice",
"email": "alice@example.com",
"iat": 1700000000,
"exp": 1700003600
}
Signature
Created by signing the encoded header and payload with a secret key (or private key for RS256/ES256).
Standard Claims
Reserved claim names with special meaning:
- iss (Issuer): Who created the token
- sub (Subject): Who the token is about (usually user ID)
- aud (Audience): Who the token is intended for
- exp (Expiration): When the token expires (Unix timestamp)
- nbf (Not Before): Token is invalid before this time
- iat (Issued At): When the token was created
- jti (JWT ID): Unique identifier for the token
JWT Signing Algorithms
Symmetric (Shared Secret)
- HS256/HS384/HS512: HMAC with SHA-256/384/512
- Same key used for signing and verification
- Simple but requires sharing the secret
Asymmetric (Public/Private Key)
RS256/RS384/RS512: RSA with SHA-256/384/512
Private key signs, public key verifies
Third parties can verify without the signing key
ES256/ES384/ES512: ECDSA (more efficient than RSA)
Smaller key sizes for same security level
Security Considerations
The "alg: none" Attack
Early JWT libraries accepted unsigned tokens when alg was set to "none". Always validate the algorithm header and reject unexpected algorithms.
Secret Key Strength
For HS256, use at least 256 bits of random entropy. Never use weak secrets like "secret" or "password". Use crypto.randomBytes(32) in Node.js.
Token Storage
- localStorage: Accessible to JavaScript, vulnerable to XSS
- HttpOnly cookies: Not accessible to JavaScript, protected from XSS, but require CSRF protection
- Recommended: HttpOnly, Secure, SameSite=Strict cookies
Token Revocation Challenge
JWTs are stateless — servers don't track which tokens are valid. Once issued, a JWT is valid until it expires. Workarounds:
- Short expiration times (15 minutes)
- Token blacklist (defeats statelessness)
- Refresh token rotation
JWTs in Authentication Flow
- User logs in with credentials
- Server validates credentials
- Server creates JWT signed with secret key
- JWT returned to client
- Client sends JWT in Authorization header on subsequent requests
- Server validates JWT signature and claims
- If valid, processes the request
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Using the JWT Parser Tool
Our tool:
- Paste any JWT — immediately decoded and displayed
- Shows all three parts — header, payload, and signature separately
- Claim interpretation — timestamps shown as human-readable dates
- Validation status — checks token expiration
- Algorithm identification — shows which signing algorithm was used
- Copy parts — extract header or payload as JSON
Use it for debugging authentication issues, understanding JWT contents during development, and verifying token structure and claims.