JSON Web Token (JWT)
A JSON Web Token (JWT) is a compact, URL-safe string defined in RFC 7519 that carries claims between parties. A JWT has three dot-separated parts: a header (algorithm and type), a payload (claims about the user or session), and a signature that proves integrity. JWTs are commonly used for stateless authentication — after login, the server issues a signed token and the client sends it with subsequent requests. The format is standardized so libraries in every language can encode, sign, and verify tokens consistently. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks.
Why It Matters
JWTs let APIs authenticate users without storing session state on the server, which scales well in distributed systems. Understanding JWT structure is essential before implementing signing, validation, or secret management. The payload is only base64-encoded, not encrypted — never store passwords or sensitive data in JWT claims. Choosing the right algorithm and claim set early prevents costly security refactors later. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently.
Related Terms
Related Comparisons
Related Tools
Related Articles
Frequently Asked Questions
Is a JWT encrypted?
No. The payload is base64url-encoded and readable by anyone with the token. Use HTTPS and short expiration times. For encrypted tokens, use JWE (JSON Web Encryption) instead of a plain signed JWT. Consult your JWT library documentation for exact option names, defaults, and error types.
What are the three parts of a JWT?
Header (algorithm and type), payload (claims), and signature (cryptographic proof of integrity). They are separated by dots and each segment is base64url-encoded before signing. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.
When should I use a JWT?
Use JWTs for stateless API authentication, microservice authorization, and short-lived access tokens. Avoid them when you need immediate server-side revocation without extra infrastructure. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.