Understanding JWTs: Structure, Claims and Security
JSON Web Tokens underpin modern authentication. Learn how they are structured, what the claims mean, and the mistakes to avoid.
Three parts, two dots
A JWT is three Base64URL segments separated by dots: a header, a payload, and a signature. The header and payload are encoded — not encrypted — so anyone can read them with a JWT Decoder.
Standard claims
The payload carries claims. The most common registered claims are:
iss— issuersub— subject (the user)exp— expiry timeiat— issued-at time
Security essentials
Because payloads are readable, never store secrets in a JWT. Always verify the signature server-side before trusting a token, and prefer short expiry times with refresh tokens.
Debugging tip
When an auth flow misbehaves, decode the token and check exp against the current time using the Timestamp Converter. Expired tokens are a frequent culprit.
Conclusion
JWTs are elegant but easy to misuse. Treat the payload as public, verify signatures rigorously, and keep lifetimes short.
Related posts
Mastering Base64 Encoding (and When Not to Use It)
Base64 is everywhere — data URIs, JWTs, email. Learn how it works, why it is not encryption, and how to handle Unicode correctly.
JSON vs YAML vs XML: Choosing the Right Format
Three data formats, three philosophies. A pragmatic comparison to help you pick the right one for APIs, config and documents.
What Is JSON and Why It Powers the Modern Web
A practical introduction to JSON — its syntax, common pitfalls, and how formatting and validation fit into a developer's daily workflow.