Web Development

What is a JWT?

A JWT is a compact, signed token that securely carries claims between parties, commonly used for authentication and authorization.

A JWT (JSON Web Token) is a compact, self-contained token that carries information (claims) between two parties in a verifiable way. It's widely used for authentication: after you log in, the server gives you a JWT that proves who you are on later requests.

Structure:

A JWT has three parts separated by dots: header.payload.signature

  • Header: The token type and signing algorithm
  • Payload: The claims (user id, roles, expiry)
  • Signature: A cryptographic signature verifying the token wasn't tampered with

How It Works:

  1. You log in with credentials
  2. The server creates a JWT and signs it with a secret
  3. The client stores the token and sends it on each request
  4. The server verifies the signature and reads the claims — no database lookup needed

Benefits:

  • Stateless: The server doesn't store sessions
  • Portable: Works across services and domains
  • Compact: Easy to send in headers

FAQ

Is the payload in a JWT encrypted?

No. The payload is only Base64-encoded, so anyone can read it. Never put secrets in a JWT. The signature guarantees integrity, not confidentiality.

How do I handle JWT expiration?

Use short-lived access tokens plus a longer-lived refresh token. When the access token expires, the client uses the refresh token to get a new one without logging in again.

Promote your content

Reach over 400,000 developers and grow your brand.

Join our developer community

Hang out with over 4,500 developers and share your knowledge.