A JWT (JSON Web Token) is a compact, self-contained way to represent claims between two parties. It’s three base64url-encoded strings separated by dots: header, payload, and signature.
Structure
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c- Header — algorithm used to sign the token
- Payload — the claims (JSON with fields like
sub,exp,iss) - Signature — cryptographic proof that the token hasn’t been tampered with
What it’s used for
- ID tokens (from OIDC) — identity claims about a signed-in user
- Access tokens — sometimes issued as JWTs, so resource servers can verify without a round-trip to the IdP
- Service-to-service auth — passing user identity across microservices
The trap
A JWT is signed, but the claims are readable — base64url is not encryption. And if you decode without verifying the signature, the token is just a suggestion from the sender. Always verify with a library, pin the algorithm, check iss, aud, and exp.
See the full auth glossary for related terms.