A JWT (JSON Web Token, pronounced "jot") is a compact, URL-safe token format used to securely transmit information between parties. JWTs are most commonly used for authentication: after you log in, the server issues a JWT that your browser sends with every subsequent request to prove your identity.
A JWT consists of three parts separated by dots: the header, the payload, and the signature. The header specifies the token type and the signing algorithm (like HMAC SHA256 or RSA). The payload contains claims, which are key-value pairs of data such as user ID, email, roles, and an expiration timestamp. The signature is created by combining the encoded header and payload with a secret key.
The header and payload are Base64-encoded, not encrypted. Anyone who intercepts a JWT can decode and read its contents. The signature, however, ensures the token has not been tampered with. If someone modifies the payload, the signature will no longer match, and the server will reject the token.
JWTs are "stateless" because the server does not need to store session data. All the information it needs to verify the user is embedded in the token itself. This makes JWTs popular in distributed systems where multiple servers need to validate requests independently.
JWTs power authentication across the modern web. OAuth flows, single sign-on systems, and API authorization commonly rely on JWTs. Understanding their structure helps developers debug authentication issues, set appropriate expiration times, and avoid common security mistakes like storing JWTs in localStorage (which is vulnerable to XSS attacks).
Use the TerminalFeed JWT Decoder tool to paste any JWT and instantly see its decoded header, payload, and expiration status. No data is sent to a server; decoding happens entirely in your browser.