How JSON Web Tokens (JWT) Work With Real Examples

Learn JWT structure, how they are signed and verified, and common security mistakes. Includes practical examples.

February 4, 20262 min readJWT Decoder
Development

JSON Web Tokens (JWT) are one of the most common standards for authentication and passing information between parties in a compact way. Here you'll see how they're built, how they're signed, and what mistakes to avoid.

What is a JWT?

A JWT is a string made of three parts separated by dots (.):

  1. Header: algorithm and token type (e.g. HS256, JWT).
  2. Payload: claims or “data” (user, role, expiration, etc.).
  3. Signature: ensures the token has not been tampered with.

Each part is Base64URL-encoded. That’s why you can “decode” a JWT and read the header and payload without the secret; the signature is what protects integrity.

Structure of a real JWT

A typical example looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikp1YW4gUMOpcmV6IiwiZXhwIjoxNzA2OTAwMDAwfQ.abc123signature
  • First part (header): {"alg":"HS256","typ":"JWT"}.
  • Second part (payload): {"sub":"1234567890","name":"Juan Pérez","exp":1706900000}.
  • Third part: the HMAC-SHA256 signature of the previous two parts.

Don’t store passwords or highly sensitive data in the payload—anyone can decode it.

How the signature is generated

With HS256, the server uses a shared secret key and applies HMAC-SHA256 to base64(header).base64(payload). If someone changes a single byte in the payload, the signature no longer matches and the token is considered invalid.

With RS256, the server signs with the private key and anyone with the public key can verify. This is useful when multiple services need to validate the token without holding the secret.

Common security mistakes

  • Storing secrets in the payload: the payload is readable; don’t put passwords or critical data without extra encryption.
  • Not verifying the signature: always validate the signature and the algorithm (avoid "alg": "none" or algorithm switching).
  • Not checking exp (expiration): tokens should have an expiration date and the backend must enforce it.
  • Weak or leaked keys: with HS256, a short or leaked key allows forging tokens.

Summary

A JWT gives you a “signed blob” that the client can send on each request (e.g. in the Authorization header) and the server only needs to verify the signature and claims. It’s useful for APIs and stateless sessions, as long as you don’t store sensitive information in the payload and you follow good signing and expiration practices.

If you want to inspect a token without writing code, you can use our free tool to decode header and payload instantly.

Frequently asked questions

Is JWT secure?
It depends on how you use it. If signed with a strong secret (HMAC) or verified with the public key (RSA), and you don't store sensitive data in the payload in plain text, it can be secure. Avoid sending secrets in the payload.
Can a JWT be decoded without the secret?
Yes. The header and payload are Base64URL-encoded and readable by anyone. That's why you should not store sensitive data there. What you cannot do without the secret (or private key in RS256) is forge the signature.
When should I use JWT?
Useful for stateless sessions, service-to-service APIs, user identification in single-page apps, and when the backend doesn't want to store sessions in a database. It's not the only option; signed cookies are sometimes simpler.
What is HS256 vs RS256?
HS256 uses a single secret key to sign and verify (symmetric). RS256 uses a public/private key pair: only the private key signs, and anyone with the public key can verify, which is ideal when multiple consumers need to validate the token.

Did you like this article?

Share it with your network

TwitterLinkedInFacebook

Ready to use our tools?

Try our free tools with no sign-up. JSON formatter, JWT Decoder, password generator and more.

View all tools