What is JWT (JSON Web Token)?
Also known as: JSON Web Token, bearer token.
Last updated: July 2026
- JWT (JSON Web Token)
- A JWT (JSON Web Token, defined in RFC 7519) is a compact, URL-safe way to represent claims between two parties. It has three Base64url-encoded parts separated by dots — header, payload and signature — and is commonly used as an authentication token. It's signed, not encrypted, so the payload is readable by anyone.
Decode a JSON Web Token (JWT) to read its header and payload instantly. Free, private, in-browser — no token is uploaded.
The three parts
A JWT is written as header.payload.signature. The header declares the signing algorithm (e.g. HS256 or RS256). The payload holds the claims — data such as the user ID, expiry (exp) and issuer (iss). The signature is computed from the first two parts plus a secret or private key, and proves the token hasn't been altered.
Signed, not encrypted
By default a JWT is signed but not encrypted. Anyone can Base64url-decode and read the payload, so you must never store secrets in it. The signature only guarantees integrity and authenticity — that the token came from who it claims and wasn't tampered with.
FAQ
Is a JWT encrypted?
No — by default it is signed, not encrypted. The payload is only Base64url-encoded and can be read by anyone, so never put secrets in it.
What does decoding a JWT show?
The header and payload as readable JSON, including standard claims like exp (expiry), iat (issued-at) and iss (issuer).