What is JWT? Explained with Examples
JSON Web Token (JWT) is a compact, URL‑safe way to represent claims between two parties. A token is comprised of three Base64URL‑encoded parts separated by dots: header, payload, and signature.
Structure of a JWT
xxxxx.yyyyy.zzzzz // header.payload.signature- Header — declares the algorithm (alg) and token type (typ = JWT).
- Payload — contains claims such as sub (subject), iat (issued at), exp (expiry), and custom fields.
- Signature — verifies integrity: HMAC/RSASSA/ECDSA depending on the algorithm.
Common Algorithms
- HS256 — HMAC with SHA‑256 (shared secret).
- RS256 — RSA with SHA‑256 (private/public key pair).
- ES256 — ECDSA with P‑256 and SHA‑256 (smaller signatures).
Encoding & Decoding
Decoding a JWT does not require a secret — it is merely Base64URL decoding. Verifying the signature does require the secret/private key (HS*/RS*/ES*). Never assume a decoded JWT is trustworthy without verification.
Security Best Practices
- Use HTTPS everywhere; never send tokens over insecure channels.
- Keep tokens short‑lived (exp) and rotate refresh tokens.
- Store tokens in HttpOnly cookies if possible; avoid localStorage for highly sensitive apps.
- Validate iss/aud/exp/nbf to prevent replay across environments.
- Scope claims minimally; avoid placing PII/secrets in the payload.
Example Payload
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}Common Pitfalls
- Accepting alg = none — always restrict to an allow‑list (e.g., HS256/RS256).
- Not verifying the signature — decoding alone is not validation.
- Leaking tokens via logs, URLs, or referrers — prefer Authorization headers.
- Missing rotation and revocation strategy — stale tokens linger.
Conclusion
JWTs enable stateless auth at scale, but correctness depends on strict validation and key management. Use them with care, and test your flows with a local decoder/encoder.