๐ Crypto & Encoding
What Is a JWT and How Does It Work?
By Justin Le
ยท 8 min read ยท Updated June 27, 2026 JSON Web Tokens (JWTs) are everywhere in modern authentication, yet they're widely misunderstood โ sometimes in ways that cause real security holes. This guide explains what a JWT actually is, what its signature does (and doesn't) guarantee, and how to use them safely.
What is a JWT?
A JWT is a compact, URL-safe way to represent a set of claims โ statements like "this user's ID is 42" or "this token expires at 3pm" โ that one party can give to another. Its defining feature is that it's signed, so the receiver can verify it hasn't been altered and was issued by someone who holds the signing key.
The three parts
A JWT is three Base64url-encoded sections joined by dots:
header.payload.signature.
- Header โ declares the token type and signing algorithm, e.g.
{"alg":"HS256","typ":"JWT"}. - Payload โ the claims, e.g.
{"sub":"42","exp":1730000000}. - Signature โ computed over the header and payload using the signing key.
Crucially, the header and payload are only encoded, not encrypted. Anyone who has the token can read them. Paste a token into a JWT decoder and you'll see the JSON instantly โ which is exactly why you must never put secrets in a JWT.
How signing works
The signature is what makes a JWT trustworthy. For the common
HS256 algorithm, the signature is an
HMAC-SHA256 of
header.payload using a shared secret. When the server receives the
token back, it recomputes that HMAC with the same secret and checks it matches. If
a single character of the payload was changed, the signature won't match and the
token is rejected.
The signature proves integrity and authenticity (the token wasn't tampered with and came from someone with the key). It does not provide confidentiality โ that's the most common misconception.
HS256 vs RS256
The two families you'll meet most often:
- HS256 (symmetric) โ one shared secret signs and verifies. Simple, fast, but everyone who can verify can also forge, so the secret must stay on trusted servers.
- RS256 (asymmetric) โ a private key signs, a public key verifies. The verifier can't create tokens, which is ideal when many independent services need to validate tokens issued by one authority.
Typical login flow
- The user logs in with a username and password.
- The server verifies the credentials and issues a signed JWT containing the user ID and an expiry.
- The client sends that JWT on each request (usually in an
Authorization: Bearerheader). - The server verifies the signature and expiry on every request โ no database lookup needed to trust the claims.
Common security mistakes
- Putting secrets in the payload. It's readable. Store only non-sensitive identifiers.
- Not verifying the signature. Decoding is not validating. Always verify before trusting any claim.
- Accepting
alg: none. Some libraries historically accepted unsigned tokens โ reject anything whose algorithm isn't what you expect. - Weak HS256 secrets. A short secret can be brute-forced. Use a long random one from our API key generator.
- Ignoring expiry. Always set and check
exp; short-lived tokens limit the blast radius of a leak.
See it in action
The best way to understand JWTs is to build and break one. Create a signed token with our JWT generator, then decode and verify it with the JWT decoder โ change one character of the payload and watch the signature check fail.
Frequently asked questions
Is a JWT encrypted?
No. A standard JWT is signed, not encrypted. The header and payload are only Base64url-encoded and can be read by anyone holding the token. Never store secrets in the payload.
What's the difference between HS256 and RS256?
HS256 uses one shared secret to both sign and verify. RS256 uses a private key to sign and a public key to verify, so verifiers can't forge tokens โ better when many services validate tokens from one issuer.
Does decoding a JWT mean it's valid?
No. Decoding only reads the data. A token is valid only if its signature verifies against the correct key and its time claims (exp/nbf) are satisfied. Always verify server-side.
Try the related tools
- JWT Decoder & Validator Decode a JWT's header and payload, inspect its claims, and verify an HS256 signature.
- JWT Generator (HS256) Create and sign a JSON Web Token (HS256/384/512) from a payload and secret.
- HMAC Generator (SHA-1, SHA-256, SHA-512) Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
Related guides
- HMAC Explained: How Webhook Signatures Work How HMAC proves a message came from who you think it did โ the mechanism behind Stripe and GitHub webhook signatures, and how to verify them safely.
- What Is Base64 Encoding? (And Why It's Not Encryption) Base64 turns binary data into safe text โ but it is not encryption. Here's how it works, why it grows your data by a third, and when to reach for it.
- MD5 vs SHA-1 vs SHA-256: Which Hash Should You Use? MD5 and SHA-1 are broken โ but not for the reason most people think. Here's what each hash is for, why collisions matter, and which to actually use.