Complete Guide 4 min read

What Is a JWT Token and How Does It Work?

Understand JSON Web Tokens — structure, how they authenticate users, and security best practices.

what is jwtjwt token explainedjson web tokenjwt authentication

What Is a JWT?

JWT (JSON Web Token) is an open standard for securely transmitting information between parties as a JSON object. It is most commonly used for authentication — to verify that a user is who they claim to be without requiring a database lookup on every request.

JWT Structure

A JWT has three parts separated by dots: Header.Payload.Signature

Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U

Header: Base64URL encoded JSON specifying token type and hashing algorithm.

{"alg": "HS256", "typ": "JWT"}

Payload: Base64URL encoded JSON with claims (statements about the user).

{"sub": "user123", "name": "Ravi Kumar", "iat": 1516239022, "exp": 1516242622}

Signature: Created by signing Header + "." + Payload with a secret key using the specified algorithm. Prevents tampering.

How JWT Authentication Works

  • User logs in with username and password
  • Server validates credentials and creates a JWT signed with a secret key
  • JWT is sent to the client (browser/app)
  • Client stores the JWT (typically in localStorage or memory)
  • Client sends the JWT in the Authorization header on each subsequent request
  • Server validates the JWT signature — no database lookup needed
  • If valid, server processes the request
  • Security Best Practices

    Never store JWTs in localStorage for high-security apps: XSS attacks can steal localStorage. Use httpOnly cookies instead.

    Set expiry times: JWTs should have short expiry (15 minutes to 1 hour) with a refresh token mechanism.

    Use HTTPS: JWTs in transit are vulnerable to interception without HTTPS.

    Do not store sensitive data in payload: The payload is Base64URL encoded — not encrypted. Anyone can decode it without the secret key.

    Frequently asked questions

    Is a JWT secure?

    JWTs are signed (verifiable) but not encrypted by default — the payload can be decoded by anyone. Never store sensitive information in JWT payload without additional encryption. Use HTTPS and short expiry times.

    What is the difference between JWT and session tokens?

    Session tokens are stored server-side in a database — every request requires a database lookup. JWTs are self-contained — the server validates the signature without a database lookup, making them more scalable.

    Try this tool on Lazyblink

    Put this guide into practice with our free online tool — no signup required.

    Open tool