What is JWT? JSON Web Token Explained with Structure, Claims, and Security

What is JWT?

JWT stands for JSON Web Token, defined by RFC 7519. It is a URL-safe token format used to represent claims as a signed JSON object.

A server can issue a JWT after login, and clients send it in an Authorization: Bearer <token> header on subsequent requests.

JWT Structure: Header, Payload, Signature

A JWT has three Base64URL-encoded parts separated by dots:

header.payload.signature

• Header: token type and signing algorithm (for example, HS256).
• Payload: claims such as user ID, roles, and expiration.
• Signature: verifies integrity and authenticity.

JWT Claims Explained

Common registered claims include:

• iss: issuer
• sub: subject (usually user id)
• aud: audience
• exp: expiration timestamp
• iat: issued-at timestamp
• nbf: not-before timestamp

Avoid placing secrets or sensitive personal data inside payload claims, because payload content can be decoded by anyone who has the token.

How JWT Authentication Works

1. User signs in with credentials.
2. Server validates user and issues an access token JWT.
3. Client stores token (prefer secure HTTP-only cookie when possible).
4. Client sends token with API requests.
5. Server verifies signature and claims before serving protected data.

HS256 vs RS256

Security Best Practices

• Set short access-token lifetimes using exp.
• Use refresh tokens with rotation and revocation support.
• Always validate signature, issuer, audience, and expiration.
• Reject unsigned tokens and explicitly control allowed algorithms.
• Serve tokens only over HTTPS.