What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. JWTs are commonly used for authentication and information exchange in web applications and APIs. A JWT is simply a Base64URL-encoded string that contains structured data anyone can read — but only the holder of the secret key can verify.
JWT structure explained
Every JWT consists of three dot-separated parts: the header, the payload, and the signature. The header describes the signing algorithm (e.g. HS256, RS256). The payload contains the claims — data like user ID, roles, and expiry time (exp). The signature ensures the token has not been tampered with.
When to use JWTs
JWTs are well-suited for stateless authentication: the server issues a signed token on login, and the client presents it with every request. The server verifies the signature without needing to query a database. They are also used in OAuth 2.0 and OpenID Connect flows as ID tokens and access tokens.
Security note
Never share JWTs in public forums, logs, or version control. Although the header and payload are only Base64-encoded (not encrypted), they may contain sensitive claims. This tool decodes entirely in your browser — no token data is ever transmitted to a server.