A JSON Web Token (JWT) is a compact, URL-safe string used to represent claims between two parties. It's made of three Base64-encoded parts separated by dots: header.payload.signature. The header declares the algorithm, the payload carries the actual data (claims), and the signature proves the token hasn't been tampered with.
JWTs are stateless: the server doesn't need to store session data, because all the information is in the token itself. This makes them ideal for distributed systems, microservices, and mobile apps.
The two main use cases are:
role: "admin", so the server can decide what you're allowed to do without hitting the database each time.| Claim | Meaning |
|---|---|
| sub | Subject — usually the user ID |
| iat | Issued at — when the token was created (Unix timestamp) |
| exp | Expiration — when the token expires (Unix timestamp) |
| iss | Issuer — who created the token (e.g. your auth server) |
| aud | Audience — who the token is intended for |
The signature prevents tampering. The most common algorithms:
The payload is only Base64-encoded, not encrypted. Anyone with the token can read the claims — don't put passwords, credit card numbers, or sensitive PII in the payload unless you use JWE (JSON Web Encryption). Also, JWTs can't be revoked before expiry unless you implement a token blacklist, which defeats part of the stateless benefit.
exp claim is shown as a human-readable dateEverything runs in your browser — your tokens and secrets never leave your device.