{}
jwtauthenticationsecurityapi

JWT Tokens Explained: Structure, Claims, and Security

Deep dive into JSON Web Tokens - how they work, what they contain, and security best practices.

February 8, 2024ยท7 min read

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format for securely transmitting information between parties.

JWT Structure

A JWT has three parts separated by dots: header.payload.signature

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload (Claims)

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Signature

The signature verifies the token hasn't been tampered with.

Common Claims

  • sub: Subject (user ID)
  • iat: Issued at (timestamp)
  • exp: Expiration time
  • iss: Issuer
  • aud: Audience

Security Best Practices

  1. Always validate the signature on the server
  2. Check expiration (exp claim)
  3. Use HTTPS - JWTs are base64-encoded, not encrypted
  4. Short expiration - Use refresh tokens for long-lived sessions
  5. Never store sensitive data in the payload

Decode and inspect JWTs with our JWT Decoder.

โ† Back to Blog