JSON Web Token
Also known as: JWT, JOSE JWT, JSON Web Token (RFC 7519)
A JSON Web Token (JWT) is a compact, URL-safe credential made of three Base64URL-encoded segments — header, payload, and signature — that an API issues so a client can prove who it is on subsequent requests without re-authenticating each time.
Overview
A JWT looks like 'xxxxx.yyyyy.zzzzz'. The first segment is a JSON header that names the signing algorithm (e.g. HS256, RS256, ES256). The second is a JSON payload of 'claims' — sub (subject), iss (issuer), aud (audience), iat (issued-at), exp (expiration), and any custom fields like role or scope. The third is a signature over the header and payload using either a shared secret (HS family) or an asymmetric key (RS / ES family). Servers verify the signature, then trust the claims.
JWTs are easy to misuse. The most common mistakes: forgetting to verify the signature, accepting the 'none' algorithm, embedding sensitive data in the payload (it is only Base64-encoded, not encrypted), and using long-lived tokens without a revocation strategy. For most user-session use cases, opaque session IDs backed by a server-side store are simpler and safer.
Common questions about JSON Web Token
Are JWTs encrypted?
What does 'verifying a JWT' mean?
What is the exp claim?
When should I NOT use JWTs?
Tools that work with JSON Web Token
Related concepts
Base64
Base64 is a way of encoding arbitrary binary data as a string of 64 ASCII characters (A–Z, a–z, 0–9, '+', '/') so it can travel through systems that only handle plain text — like email, URLs, JSON, or HTML data URIs.
Cryptographic Hash
A cryptographic hash function takes any input and produces a fixed-length pseudo-random output (the 'digest') that uniquely identifies the input — and is computationally infeasible to reverse, making hashes the foundation of integrity checks, content addressing, and password storage.