What is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for compactly and securely transmitting information between parties as a JSON object. A JWT consists of three base64url-encoded parts separated by dots: the header (algorithm and token type), the payload (claims), and the signature.
JSON Web Tokens are commonly used for authentication and information exchange in web applications and APIs. The header specifies the signing algorithm (e.g., HS256, RS256) and token type. The payload contains claims — statements about an entity (typically the user) and additional metadata. Common registered claims include `iss` (issuer), `sub` (subject), `exp` (expiration time), `iat` (issued at), and `aud` (audience).
The signature is computed by encoding the header and payload, concatenating them with a dot, and signing with the algorithm specified in the header. For HMAC-based algorithms (HS256, HS384, HS512), the signature uses a shared secret. For RSA and ECDSA algorithms, a private key signs and a public key verifies.
JWTs are widely used in OAuth 2.0, OpenID Connect, and session management. They allow stateless authentication because the server can verify the token without storing session data. However, JWTs cannot be invalidated before expiry without a server-side deny-list, so short expiry times are recommended for sensitive operations.
Use quickhelp.dev's JWT Decoder to inspect any JWT's header and payload, and optionally verify the signature with your secret or public key.