Utilix knowledge base
What Is a JWT (JSON Web Token)?
Published Apr 17, 2026
A JWT (JSON Web Token) is a compact, URL-safe string used to securely transmit information between parties as a JSON object. JWTs are digitally signed, so the recipient can verify the contents have not been tampered with.
They are most commonly used for authentication and authorisation in web APIs.
JWT Structure
A JWT consists of three Base64URL-encoded parts separated by dots:
header.payload.signature
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzQzNTAwMDAwfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
1. Header
Specifies the token type and signing algorithm:
{
"alg": "HS256",
"typ": "JWT"
}
Common algorithms: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA).
2. Payload (Claims)
Contains the actual data. Standard registered claims include:
| Claim | Meaning |
|---|---|
sub | Subject — who the token refers to |
iss | Issuer — who created the token |
aud | Audience — who should accept the token |
exp | Expiry time (Unix timestamp) |
iat | Issued-at time (Unix timestamp) |
nbf | Not-before time |
jti | JWT ID — unique identifier |
You can add any custom claims alongside registered ones.
3. Signature
For HS256, the signature is:
HMAC-SHA256(
base64url(header) + "." + base64url(payload),
secret
)
The server creates this with a secret key. To verify, the server re-computes the signature and checks it matches — proving the token was not modified.
How JWTs Are Used
- User logs in with credentials.
- Server generates a JWT signed with its secret and returns it.
- Client stores the JWT (usually in memory or
localStorage). - Client sends the JWT in the
Authorizationheader on subsequent requests:Authorization: Bearer <token> - Server verifies the signature and reads the claims — no database lookup needed.
JWTs Are Not Encrypted by Default
A standard JWT is signed, not encrypted. Anyone who intercepts the token can decode the header and payload (they are only Base64URL-encoded). Never put sensitive data (passwords, credit card numbers, PII) in a JWT payload unless you use JWE (JSON Web Encryption).
Security Best Practices
- Short expiry (
exp): Use 15–60 minutes for access tokens; issue refresh tokens separately. - Use RS256 in distributed systems: Asymmetric signing allows any service to verify tokens with the public key without sharing the private signing key.
- Validate all claims: Check
iss,aud,exp, andnbfon every request. - Store tokens securely: Prefer memory or
HttpOnlycookies overlocalStorageto reduce XSS exposure. - Rotate secrets: If a signing secret is compromised, all outstanding tokens must be considered invalid.
Use the JWT Decoder to inspect any JWT header, payload, and expiry instantly.