JWT Tokens — Structure, Examples & How They Work

A comprehensive guide to JSON Web Tokens (JWT). Decode and inspect tokens with our JWT Decoder tool.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64url-encoded parts separated by dots: header.payload.signature.

JWT Structure

// Full JWT (3 parts separated by dots)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

Contains metadata about the token type and signing algorithm.

{ "alg": "HS256", "typ": "JWT" }
// Algorithm: HS256 (HMAC with SHA-256)
// Type: JWT

2. Payload (Claims)

Contains the claims — statements about an entity and additional metadata.

{
  "sub": "1234567890",        // Subject (user ID)
  "name": "John Doe",         // Custom claim
  "iat": 1516239022,          // Issued at (Unix timestamp)
  "exp": 1516242622,          // Expiration (Unix timestamp)
  "iss": "https://auth.example.com", // Issuer
  "aud": "https://api.example.com"   // Audience
}

3. Signature

The signature verifies the token hasn't been tampered with. It's created by hashing the header + payload with a secret key.

// HMAC-SHA256(base64url(header) + '.' + base64url(payload), secret)
HMACSHA256(
  base64urlEncode(header) + "." +
  base64urlEncode(payload),
  "your-256-bit-secret"
)

Common JWT Examples

Header: {"alg":"RS256","typ":"JWT","kid":"key1"}
Payload: {
  "sub":"user_abc123",
  "email":"user@example.com",
  "roles":["admin","editor"],
  "iat":1717200000,
  "exp":1717203600,
  "iss":"auth.example.com"
}

Header: {"alg":"RS256","typ":"JWT"}
Payload: {
  "sub":"1234567890",
  "name":"Jane Smith",
  "email":"jane@example.com",
  "email_verified":true,
  "picture":"https://example.com/avatar.jpg",
  "iat":1717200000,
  "exp":1717203600
}

Common JWT Claims