JWT Tokens Explained: Structure, Security & Best Practices
2026-05-02 7 min read
A JWT (JSON Web Token) is a self-contained, signed token that carries user identity and claims. Our JWT Decoder lets you inspect tokens safely (locally, no server upload) and understand their contents.
JWT Structure: Header.Payload.Signature
Every JWT has three parts separated by dots: a header (algorithm), a payload (claims), and a signature (proof of authenticity).
Example JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cDecoded Breakdown
Header
{
"alg": "HS256",
"typ": "JWT"
} Payload (claims)
{
"sub": "1234567890",
"name": "Alice",
"iat": 1516239022
}Common Claims
| Claim | Meaning | Example |
|---|---|---|
| sub | Subject (user ID) | "user_123" |
| iat | Issued at (Unix timestamp) | 1516239022 |
| exp | Expiration time | 1516242622 |
| iss | Issuer | "https://auth.example.com" |
| aud | Audience (intended recipient) | "api.example.com" |
Security Best Practices
- Always validate the signature before trusting the payload
- Check the expiration time (exp claim) — reject expired tokens
- Store tokens securely (httpOnly cookies, not localStorage)
- Use HTTPS-only to prevent token interception
- Keep the signing secret safe (never expose it in frontend code)
- Use short expiration times (15-60 minutes) and refresh tokens for longer sessions
Decode & inspect JWT tokens safely
Paste your token to decode its header and payload (signature verification happens locally in your browser).