A JWT is a compact string with three Base64URL-encoded parts separated by dots: header.payload.signature. APIs use JWTs to pass signed claims between services without a session store on every request.
The three parts
- Header: algorithm and token type (e.g. HS256, RS256)
- Payload: claims like sub (subject), exp (expiry), roles
- Signature: proves the token wasn’t tampered with (if verified)
Important claims to check
Always validate exp (expiration) and iss/aud when your framework supports it. Short-lived access tokens plus refresh tokens reduce risk if a token leaks.
Decoding is not verifying
Reading the payload without checking the signature only helps debugging. Production code must verify signatures with the correct secret or public key.
Try it instantly
Inspect header and payload safely with our JWT Decoder: