If you've built or used any modern web or mobile app, you've almost certainly relied on JWTs without realising it. They're one of the most common ways applications handle authentication today. So let's demystify them — what a JSON Web Token actually is, how it's structured, and why it's so widely used.
What is a JWT?
A JWT (JSON Web Token, pronounced "jot") is a compact, self-contained way to securely transmit information between parties as a JSON object. Most commonly, it's used to prove who you are after you log in. The server hands you a token; you present that token on every subsequent request to prove you're still you.
The three parts
A JWT is a single string made of three parts, separated by dots: header.payload.signature.
- Header — describes the token: its type (JWT) and the signing algorithm used (for example, HMAC SHA-256).
- Payload — the "claims": the actual data, such as a user ID, role, and an expiry time. This is readable by anyone, so it should never contain secrets.
- Signature — the cryptographic proof. It's created by signing the header and payload with a secret key, so the server can verify the token hasn't been tampered with.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjMiLCJuYW1lIjoiR2VyYW4ifQ
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Why the signature matters
This is the key insight people often miss: a JWT is signed, not encrypted. Anyone can decode the payload and read it. What they cannot do is alter it without invalidating the signature — because they don't have the server's secret key. So the server can trust a valid token without storing session state, which makes JWTs especially handy for scalable, stateless APIs.
JWTs prove integrity, not secrecy. Decode-able, but not forgeable.
A few practical cautions
- Never put secrets in the payload — it's effectively public.
- Always set an expiry so a leaked token can't be used forever.
- Always transmit over HTTPS so tokens can't be intercepted.
- Keep the signing key truly secret — it's the whole basis of trust.
The bottom line
JWTs are a simple, elegant mechanism for stateless authentication: a signed JSON object that proves a claim without the server having to remember anything. Understand the three parts and the signed-not-encrypted distinction, and you understand the heart of how a huge amount of modern app security works.