What is JWT? How to Decode and Inspect JWT Tokens
What is JWT?
A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWTs are commonly used for:
- Authentication – After login, each request includes the JWT to verify the user
- Information Exchange – Securely transmit data between parties
JWT Structure
A JWT consists of three parts separated by dots: Header.Payload.Signature
1. Header
The header typically contains the token type (JWT) and the signing algorithm (e.g., HS256).
2. Payload
The payload contains the claims — statements about an entity (user) and additional data.
3. Signature
The signature is used to verify the token hasn't been tampered with.
Common JWT Claims
- iss – Issuer
- sub – Subject (user ID)
- aud – Audience
- exp – Expiration time
- iat – Issued at
- jti – JWT ID
Security Tips
- Never put sensitive data in JWT payload — it can be decoded by anyone
- Always verify the signature server-side
- Set appropriate expiration times
- Use HTTPS to prevent token interception
- Rotate secrets regularly
Try It Now
Use our JWT Decoder to decode any JWT token instantly in your browser.
CodeUtilityKit Team builds free, privacy-first developer tools that run entirely in your browser. Every guide is written and reviewed by developers who use these tools daily.