How JWT Tokens Work A Practical Explainer
What is a JWT? Learn how JSON Web Tokens encode claims, why they are used in APIs, and how to decode them safely for debugging.
For related fixes and guides, see our troubleshooting hub.
A JSON Web Token (JWT) is a compact string that carries signed (or encoded) claims between a client and a server. You see them in Authorization: Bearer … headers, OAuth flows, and sessionless APIs.
Structure: three parts
A JWT looks like xxxxx.yyyyy.zzzzz three Base64URL-encoded segments separated by dots:
- Header Algorithm and token type (
{"alg":"HS256","typ":"JWT"}) - Payload Claims such as
sub(user id),exp(expiry), roles, etc. - Signature Proves the token was not tampered with (when verified with a secret or public key)
Encoding vs encryption
JWTs are encoded, not encrypted. Anyone with the token can decode the header and payload. Never put passwords or secrets in the payload.
Common claims
| Claim | Meaning |
|---|---|
sub | Subject (user identifier) |
exp | Expiration time (Unix timestamp) |
iat | Issued at |
iss | Issuer |
How APIs use JWTs
- User logs in → server returns a JWT.
- Client sends JWT on each request.
- Server verifies signature and
exp, then trusts the claims.
Debug safely in the browser
Use ToolKits's JWT decoder to inspect tokens locally nothing is sent to a server. To create test tokens, use the JWT generator with a dev-only secret.
Never paste production secrets or live user tokens into untrusted online tools.
For Base64 mechanics behind JWT, see what is Base64.