Guides

What is JWT? How to Decode and Inspect JWT Tokens

CodeUtilityKit Team··7 min read

What is JWT?

A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

JWTs are commonly used for:

  • Authentication – After login, each request includes the JWT to verify the user
  • Information Exchange – Securely transmit data between parties

JWT Structure

A JWT consists of three parts separated by dots: Header.Payload.Signature

1. Header

The header typically contains the token type (JWT) and the signing algorithm (e.g., HS256).

2. Payload

The payload contains the claims — statements about an entity (user) and additional data.

3. Signature

The signature is used to verify the token hasn't been tampered with.

Common JWT Claims

  • iss – Issuer
  • sub – Subject (user ID)
  • aud – Audience
  • exp – Expiration time
  • iat – Issued at
  • jti – JWT ID

Security Tips

  1. Never put sensitive data in JWT payload — it can be decoded by anyone
  2. Always verify the signature server-side
  3. Set appropriate expiration times
  4. Use HTTPS to prevent token interception
  5. Rotate secrets regularly

Try It Now

Use our JWT Decoder to decode any JWT token instantly in your browser.

CU

CodeUtilityKit Team builds free, privacy-first developer tools that run entirely in your browser. Every guide is written and reviewed by developers who use these tools daily.