What Is a JWT?
A JWT, or JSON Web Token, is a compact token format commonly used in authentication and API workflows. Developers use JWTs to carry claims such as user identity, roles, and metadata between systems in a structured, signed format.
What a JWT looks like
A JWT usually contains three parts separated by dots:
The header and payload are usually Base64URL-encoded JSON. The signature is used to help verify integrity and authenticity.
Header, payload, and signature
Header describes metadata about the token, such as the algorithm and token type.
Payload contains claims. These can include user identifiers, roles, expiry information, and other application data.
Signature helps confirm that the token was issued by a trusted source and was not modified after signing.
Why developers use JWTs
JWTs are popular because they are compact, portable, and easy to pass between services. They are especially common in web apps, APIs, OAuth flows, and distributed systems.
In practice, developers often encounter JWTs when debugging login flows, authorization issues, expired sessions, or API access problems.
JWT vs plain JSON vs Base64
| Concept | What it does | Typical role |
|---|---|---|
| JSON | Stores structured data | Header and payload contents |
| Base64URL | Encodes text safely | Representation of header and payload |
| JWT | Wraps claims and signature | Authentication and authorization token |
Use our JWT Decoder
Use the decoder to inspect the header and payload of a JWT directly in the browser. This is useful for debugging auth flows and understanding what claims a token contains.
Common JWT debugging questions
- What claims are inside this token?
- Has the token expired?
- Which algorithm is being used?
- Is the payload what I expected from the auth server?
- Why is this API rejecting the token?
Important limitation
Decoding a JWT is not the same as verifying it. A decoder can show the header and payload, but it does not prove that the token is valid, trusted, or correctly signed.
That distinction matters a lot in security work. Decoding helps inspection. Verification helps trust.
Next step: decode and inspect auth tokens
JWTs sit at the intersection of JSON, Base64-style encoding, and auth debugging. Use the related tools below to inspect token structure and supporting formats more quickly.
FAQ
Is a JWT encrypted?
Not usually. Standard JWTs are often only encoded and signed, not encrypted.
Can I trust a decoded JWT?
Not by decoding alone. You can inspect the contents, but trust requires proper signature verification.
Why do JWTs look like gibberish?
Because the header and payload are Base64URL-encoded, which makes them look opaque until decoded.