Skip to main content

JSON Web Token (JWT)

A JWT is a compact, signed JSON token that conveys identity and authorization claims, widely used in OAuth and OpenID Connect.

A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between parties as a digitally signed JSON object. JWTs are widely used to carry identity and authorization claims in modern web and API authentication.

How It Works

A JWT has three Base64URL-encoded parts separated by dots: a header, a payload, and a signature. The header names the signing algorithm. The payload holds claims, such as the subject (sub), issuer (iss), audience (aud), and expiry (exp). The signature is computed over the header and payload using either a shared secret (HMAC) or a private key (asymmetric encryption such as RS256 or ES256).

The signature lets a recipient verify that the token was issued by a trusted party and was not tampered with. Crucially, a standard JWT is signed but not encrypted, so anyone can read the payload; sensitive data should not be placed in it unless it is encrypted (JWE).

JWTs are stateless: the server can validate a token without a database lookup, which suits distributed systems.

Why It Matters

JWTs are the default token format for OAuth 2.0 access tokens and OpenID Connect ID tokens. Their stateless nature scales well across microservices and APIs, since each service can independently verify a token using a public key.

That statelessness is also a risk: a valid JWT cannot be easily revoked before it expires. Best practices include short lifetimes, refresh tokens, careful algorithm pinning to avoid the "none" and algorithm-confusion attacks, and validating issuer, audience, and expiry on every request.

Related Terms

JSON web tokens carry claims for OAuth and OpenID Connect, are signed using asymmetric encryption or shared secrets, and enable stateless single sign-on. Signing keys require careful secrets management.