JWT stands for JSON Web Token. It is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe string. A JWT contains digitally signed claims about a user or system, making it the most widely used format for API authentication and authorization in 2026.

How does JWT authentication work?

JWT authentication works in three steps. First, the user logs in with credentials and the server verifies them. Second, the server creates a JWT containing the user ID and other claims, signs it with a secret or private key, and returns it to the client. Third, the client sends this JWT in the Authorization header with every subsequent API request. The server verifies the signature and reads the claims without any database lookup.

What are the three parts of a JWT?

A JWT has three Base64URL-encoded parts separated by dots. The Header contains the token type (JWT) and the signing algorithm such as HS256 or RS256. The Payload contains the claims, which are statements about the user including sub (user ID), exp (expiry time), iat (issued at) and any custom data. The Signature is created by signing the header and payload with a secret or private key, which allows the server to verify the token has not been tampered with.

No. A standard JWT (technically called JWS, JSON Web Signature) is signed but not encrypted. The payload is Base64URL encoded, which anyone can decode. This means you should never store sensitive data like passwords or credit card numbers in a JWT payload. JWE (JSON Web Encryption) is a separate standard for encrypted tokens.

What is the difference between HS256 and RS256 in JWT?

HS256 is a symmetric algorithm that uses one shared secret key for both signing and verifying. Both the server that creates the token and the service that verifies it must know the same secret. RS256 is an asymmetric algorithm that uses a private key to sign and a public key to verify. This means verification services never see the private key, making RS256 more secure for distributed systems and microservices.

What is alg:none in JWT and why is it dangerous?

Setting the algorithm to "none" in a JWT header means the token has no cryptographic signature. An attacker can create a JWT with any claims they want, set alg to none, and some vulnerable servers will accept it without any verification. This is a critical security vulnerability. Never accept tokens with alg:none in a production server.

Is it safe to decode my JWT token in this tool?

Yes. The TOOLBeans JWT Decoder runs entirely in your browser using JavaScript. Your token is never sent to any server. The decoding process is completely local to your device, making it safe to use with production tokens and sensitive data.

Auth Tool

JWT Token Decoder

Instantly decode and inspect JSON Web Tokens. View header, payload, expiry status, security warnings, and all standard JWT claims 100% runs in your browser.

3 Parts

Header · Payload · Signature

100%

Private & Offline

Live

Expiry Countdown

JWT Token Input

Samples:

🔓

Paste a JWT Token Above

Paste any JWT token to decode its header and payload, check expiry status, view security warnings, and inspect all claims with explanations.

Related Developer Tools

Free tools that work alongside the JWT decoder in your development workflow.

🔄

Base64 Encoder / Decoder

JWT uses Base64URL encoding. Encode or decode any Base64 string instantly.

📡

API Request Tester

Test APIs with Bearer token auth. Add your JWT directly in the Auth tab.

#️⃣

Hash Generator

Generate HMAC-SHA256 hashes. Understand the signing behind HS256 tokens.

{}

JSON Formatter

Format and validate the JSON payload inside any decoded JWT.

What Is JWT? JSON Web Token Explained

JWT stands for JSON Web Token. The full form of JWT is JSON Web Token, pronounced as jot. It is an open industry standard defined by RFC 7519 for securely transmitting information between two parties as a compact, URL-safe string. JWT meaning in web development is essentially a self-contained token that proves who a user is and what they are allowed to do, without the server needing to look anything up in a database.

JWT authentication is the most widely used method for securing REST APIs in 2026. When you log into any modern web application, a banking app, a SaaS product or a mobile application, there is a very high chance that a JWT token is being used behind the scenes to keep your session secure. The token travels with every API request in the Authorization: Bearer header, allowing the server to verify your identity without maintaining server-side session state.

The popularity of JWT comes from three practical advantages over older session-based authentication. JWTs are stateless, meaning the server does not need to store session data in a database or shared memory. They are portable, working across multiple services, microservices and mobile clients without coordination. And they are self-describing, carrying all the information about the user and their permissions directly inside the token itself.

How JWT Authentication Works Step by Step

Understanding how JWT authentication works helps you debug token issues, choose the right algorithm and implement secure APIs. Here is the complete JWT auth flow that happens every time a user logs in to a modern web application.

User Logs In

The user submits their username and password to the authentication endpoint (typically POST /login or POST /auth/token). The server validates the credentials against the database.

Server Creates the JWT

On successful login, the server builds a JWT payload containing claims like sub (user ID), email, roles and exp (expiry time). It signs the header and payload using the chosen algorithm HS256 with a secret key or RS256 with a private key to produce the signature.

Token Sent to Client

The server returns the JWT to the client. The client stores it, ideally in an httpOnly cookie (most secure) or in memory. Storing JWTs in localStorage makes them vulnerable to XSS attacks.

Client Sends JWT with Every Request

For every subsequent API call, the client includes the JWT in the Authorization header: "Authorization: Bearer eyJ...". This is how the server knows who is making the request.

Server Verifies the Token

The server decodes the token, verifies the signature using the secret or public key, checks that the exp claim has not passed and validates the iss and aud claims. If all checks pass, the request is processed. No database lookup required.

JWT Structure: Header, Payload and Signature Explained

A JWT token is made up of three parts separated by dots. Each part is Base64URL encoded, which is why JWT tokens always start with eyJ (the Base64URL encoding of the opening {" of a JSON object).

A complete JWT token looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImV4cCI6OTk5OTk5OTk5OX0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

■ Header■ Payload■ Signature

Part 1: Header

The JWT header is a JSON object containing two fields. alg specifies the signing algorithm and typ is always "JWT". The algorithm choice directly affects security. Use RS256 or ES256 for production systems. Never use alg:none.

{
  "alg": "HS256",
  "typ": "JWT"
}

Part 2: Payload (Claims)

The JWT payload contains claims. Standard claims include sub (subject, the user ID), exp (expiration, a Unix timestamp), iat (issued at), iss (issuer) and aud (audience). You can add any custom claims like roles or email. Remember: the payload is not encrypted, only Base64URL encoded. Anyone who gets the token can read it. Use our Base64 decoder to see this yourself.

{
  "sub": "user_12345",
  "email": "alice@example.com",
  "role": "admin",
  "iat": 1700000000,
  "exp": 1700003600
}

Part 3: Signature

The signature is produced by combining the encoded header and payload, then signing them with the chosen algorithm and key. For HS256: HMACSHA256(base64url(header) + "." + base64url(payload), secret). This prevents tampering. If any bit of the header or payload changes, the signature verification fails and the server rejects the token. Note: this tool decodes the header and payload but cannot verify the signature since that requires your server's secret or public key.

JWT vs Session Tokens: Key Differences

Before JWT, the dominant authentication method was server-side sessions. Understanding the difference helps you choose the right approach for your application.

Aspect	JWT Token	Session Token
Storage	Client (cookie or memory)	Server database or memory
State	Stateless no server lookup	Stateful DB query per request
Revocation	Difficult without extra infra	Easy delete session record
Scalability	Excellent for microservices	Requires shared session store
Token size	Larger (claims included)	Small (just an ID)
Expiry	Built into exp claim	Managed server-side
Use case	APIs, mobile, microservices	Traditional web apps

JWT is not always better than sessions. If you need instant token revocation (like logging out all devices immediately), sessions are simpler. If you are building APIs consumed by mobile apps, third-party services or microservices across multiple servers, JWT is the standard choice. Many production systems use both: short-lived JWTs for access and a session or refresh token mechanism for renewal.

Common JWT Errors and What They Mean

If you work with JWT authentication long enough, you will encounter these error messages. Here is what each one means and how to fix it. Use this decoder tool to inspect the token when debugging any of these errors.

TokenExpiredError: jwt expired

Cause: The current time is past the exp claim timestamp.

Fix: Issue a new token using your refresh token, or extend the expiry time on the server side. Use the decoder above to check the exact exp timestamp.

JsonWebTokenError: invalid signature

Cause: The token was signed with a different secret or private key than the one the server is using to verify.

Fix: Ensure the signing key matches the verification key. Common in deployments where environment variables differ between environments.

JsonWebTokenError: jwt malformed

Cause: The token string does not have the expected three-part dot-separated structure.

Fix: Check that the full token is being passed, not truncated. Ensure there are no extra spaces or newlines. Paste into the decoder above to see the structure.

NotBeforeError: jwt not active

Cause: The current time is before the nbf (not before) claim timestamp.

Fix: Check for clock skew between the server that issued the token and the server that is verifying it. Add a small leeway window.

401 Unauthorized: Bearer token missing

Cause: The Authorization header was not included in the request.

Fix: Add Authorization: Bearer <your_jwt_token> to the request headers. Use the API Request Tester tool at TOOLBeans to test your request with the correct auth header.

JWT Signing Algorithms Explained: HS256 vs RS256 vs ES256

The algorithm specified in the JWT header determines how the signature is created and verified. Choosing the wrong algorithm is one of the most common JWT security mistakes.

HS256 / HS384 / HS512

Good

Symmetric (HMAC)

Pros

+Simple to implement

+Single shared key

+Fast verification

Cons

−Both sides share the same secret

−If the secret leaks, all tokens are compromised

−Hard to rotate keys in multi-service setups

Best for: Single-server APIs where only one service creates and verifies tokens.

RS256 / RS384 / RS512

Best

Asymmetric (RSA)

Pros

+Private key signs, public key verifies

+Verification services never see private key

+Supports JWKS (public key endpoint)

Cons

−More complex setup

−Larger key and signature size

−Slightly slower than HMAC

Best for: Distributed systems, microservices, third-party integrations. The industry standard.

ES256 / ES384 / ES512

Best

Asymmetric (ECDSA)

Pros

+Smaller keys than RSA for same security

+Faster than RSA

+Modern OAuth providers prefer ES256

Cons

−More complex than HMAC

−Less library support than RS256

Best for: Modern APIs where performance matters. Preferred by many OAuth 2.0 providers.

How to Use the JWT Decoder Tool

The TOOLBeans JWT decoder is the fastest way to inspect any JSON Web Token in your browser. Here is how to get the most out of it.

1️⃣

Paste Your Token

Copy your JWT from a network request in browser devtools, from your API client, or from an Authorization header. Paste it into the input box. Decoding is instant.

2️⃣

Check Expiry Status

The green, amber or red banner at the top tells you immediately whether the token is valid, expiring soon or already expired, with a live countdown timer.

3️⃣

Inspect Claims

The Payload Claims tab shows every claim with its value. Standard claims like sub, exp and iat include explanations. Timestamps are shown as human-readable dates.

4️⃣

Check Algorithm Security

The algorithm security card shows whether your signing algorithm is safe. Critical warning for alg:none. Rating for HS256, RS256 and ES256 families.

5️⃣

Review Raw JSON

Switch to the Raw JSON tab to see the decoded header and payload as formatted JSON. Copy individual sections or download the full decoded token as a JSON file.

6️⃣

Use the JWT Guide Tab

New to JWT? Click the JWT Guide tab for the complete reference including the claims table, security dos and donts, and FAQ covering common JWT questions.

🔒 Privacy Guarantee

Your JWT token is decoded entirely in your browser using JavaScript. The token string is never sent to any server and is never logged. This tool is safe to use with production tokens, tokens containing real user data and tokens from live applications. All processing is local.

Frequently Asked Questions About JWT

What does JWT stand for? What is the full form of JWT?

JWT stands for JSON Web Token. The full form is JSON Web Token. It is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe signed string. It is pronounced "jot".

What is JWT used for in web development?

JWT is primarily used for API authentication and authorization. When a user logs in, the server issues a JWT. The client sends this token with every API request in the Authorization header. The server verifies the token to confirm the user's identity without a database lookup. JWT is also used for information exchange between microservices and for OAuth 2.0 access tokens.

What is sub in JWT?

The sub claim in a JWT stands for Subject. It identifies the principal that is the subject of the token most commonly the user ID. For example, sub: "user_12345" means the token was issued for the user with ID user_12345. It is a standard registered claim defined in RFC 7519.

What does exp mean in a JWT?

exp stands for Expiration Time. It is a Unix timestamp (seconds since January 1, 1970) indicating when the token expires. After this time, the token must not be accepted. For example, exp: 1700003600 means the token expires at that specific second. The decoder above converts this to a human-readable date and shows a live countdown.

What is iat in a JWT?

iat stands for Issued At. It is a Unix timestamp recording when the JWT was created. Combined with exp, it tells you the token's total valid lifetime. For example, if iat is 1700000000 and exp is 1700003600, the token is valid for exactly one hour (3600 seconds).

Can I use a JWT decoder without the secret key?

Yes. You can decode the header and payload of any JWT without the secret or private key because they are only Base64URL encoded, not encrypted. What you cannot do without the key is verify the signature. This tool decodes the content of any JWT so you can inspect its claims, but it cannot confirm whether the token is genuinely valid without server-side signature verification.

Where should I store a JWT on the client side?

The safest storage for a JWT is an httpOnly, Secure, SameSite cookie. This prevents JavaScript from reading the token, protecting against XSS attacks. Many developers store JWTs in localStorage for convenience, but this is not recommended because any JavaScript on the page including third-party scripts can read localStorage. For single-page applications, in-memory storage (a JavaScript variable) combined with refresh tokens is also a secure option.

What is the difference between JWT and OAuth?

OAuth 2.0 is an authorization framework that defines how applications can request access to resources on behalf of a user. JWT is a token format. They are complementary, not alternatives. OAuth 2.0 uses JWT as the format for its access tokens. When you see a Bearer token in an OAuth 2.0 flow, it is typically a JWT. OAuth handles the flow and permissions. JWT handles how the token data is structured and signed.