Developer Tools · 5 min read
What Is a JWT Token? JSON Web Tokens Explained
JWTs are everywhere in modern web authentication. Here's what they actually contain, how to decode them, and when (not) to use them.
JWT Structure: Three Parts
A JWT looks like three Base64url-encoded strings separated by dots:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwiZXhwIjoxNzAwMDAwMDAwfQ.abc123sig
| Part | Contains | Example |
|---|---|---|
| Header | Token type & algorithm | {"alg":"HS256","typ":"JWT"} |
| Payload | Claims (user data, expiry) | {"sub":"user123","exp":1700000000} |
| Signature | HMAC or RSA of header + payload | Verified server-side with secret key |
JWT vs Session Tokens
| JWT | Session Token | |
|---|---|---|
| Storage | Client-side (localStorage / cookie) | Server-side database |
| Stateless? | ✅ Yes | ❌ Requires DB lookup |
| Revocable? | ❌ Hard (until expiry) | ✅ Delete from DB |
| Payload visible? | ✅ Anyone can decode | ❌ Opaque |
| Scales well? | ✅ Great for microservices | Needs shared session store |
⚠️ Remember: The JWT payload is Base64-encoded, not encrypted. Never put sensitive data in it.
Frequently Asked Questions
A compact token with three Base64url-encoded parts (header, payload, signature) used for authentication. The signature verifies the token wasn't tampered with.
The signature ensures integrity, but the payload is readable by anyone. Never store passwords or sensitive data in a JWT unless using JWE encryption.
JWTs are stateless and scale well for microservices and SPAs. Session tokens are easier to revoke. Use JWTs for distributed systems; sessions for simple apps needing instant revocation.
Use PickConverter's free JWT Decoder. Paste your token to inspect the header and payload. No sign-up required.
Related Articles
🔑
Decode any JWT instantly — free
Inspect header and payload. Runs in your browser. No sign-up.
Open JWT Decoder →