PrettifyJson
JWT Guide

JWTs are simple to decode and easy to misuse if you skip verification

A JSON Web Token carries claims in a compact string, but the important part is not decoding it. The important part is verifying who issued it and whether it should still be trusted.

JWT anatomy

A token has three Base64url-encoded sections separated by dots.

header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

Declares the token type and the signing algorithm.

{"alg":"HS256","typ":"JWT"}

Payload

Contains claims about the user, client, or session.

{"sub":"123","exp":1700000000}

Signature

Protects header and payload from tampering when verification is implemented correctly.

HMAC-SHA256(...)

Registered claims

ClaimNameMeaning
issIssuerWhich system created the token
subSubjectWho the token is about
audAudienceWhich service should accept it
expExpirationReject after this Unix timestamp
nbfNot BeforeReject before this Unix timestamp
iatIssued AtWhen it was minted
jtiJWT IDUnique identifier for replay controls

Common signing algorithms

HS256 / HS384 / HS512

Symmetric HMAC algorithms. The same shared secret signs and verifies the token.

RS256 / RS384 / RS512

Asymmetric RSA algorithms. A private key signs and a public key verifies.

ES256 / ES384 / ES512

Asymmetric elliptic-curve signatures with smaller keys and signatures than RSA.

alg: none

Unsigned tokens. Do not allow these in production verification paths.

How verification works

  1. Split the token on . to extract header, payload, and signature.
  2. Decode the header and compare alg against the algorithm you expect. Do not trust the header alone.
  3. Recompute the signature over header.payload using the correct secret or public key flow.
  4. Compare the provided signature and the recomputed one.
  5. Validate claims like expiration, audience, issuer, and not-before rules.

Security guidance

Decoding is not trust

A JWT decoder shows you the contents, but it does not prove the token is authentic. Trust begins only after signature and claim verification succeed.

  • Pin the expected algorithm and reject surprises.
  • Keep token lifetimes short and use refresh flows for longer sessions.
  • Never put secrets in the payload because payloads are readable after decoding.
  • Use strong random secrets for HMAC and proper key management for asymmetric signing.
  • Always transmit tokens over HTTPS.

Try it live

Inspect a token in the built-in decoder

The JWT Decoder lets you paste a token, inspect its claims, and verify HMAC signatures in the browser.

External references

RFC 7519 - JSON Web TokenRFC 7515 - JSON Web SignatureRFC 8725 - JWT best practicesjwt.io - introduction

Explore More

Keep moving through the docs

Jump between reference pages without leaving the product’s main visual system.

JSON Guide

Syntax and validation basics

Open

XML Guide

Elements and attributes

Open

YAML Guide

Indentation and configs

Open

JWT Guide

Claims and verification

Open

Docs Hub

Browse all guides

Open