Blog
What Is JWT and How Does It Work? A Complete Beginnerβs Guide
Learn what JWT is, how JSON Web Tokens work, what header, payload, and signature mean, and why developers use JWT for authentication in modern web applications.

What Is JWT and How Does It Work?
If you've worked with modern web applications, you've probably seen the term JWT or JSON Web Token. JWT is one of the most popular methods for securely transmitting information between a client and a server. It is widely used for authentication, authorization, and API security.
In this guide, you'll learn what JWT is, how it works, why developers use it, and when it should or shouldn't be used.
What Is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information as a compact JSON object.
A JWT is digitally signed, allowing the receiver to verify that the token hasn't been modified.
Unlike traditional session-based authentication, JWT stores authentication data inside the token itself instead of keeping it on the server.
Structure of a JWT
A JWT consists of three parts separated by dots.
xxxxx.yyyyy.zzzzz
1. Header
The header contains metadata about the token.
Example:
{
"alg": "HS256",
"typ": "JWT"
}
- alg specifies the signing algorithm.
- typ indicates that this is a JWT.
The header is Base64Url encoded.
2. Payload
The payload contains the actual information (called claims).
Example:
{
"userId": 15,
"email": "john@example.com",
"role": "admin"
}
Common claims include:
- user ID
- username
- roles
- permissions
- expiration time
The payload is not encrypted. Anyone with the token can decode it.
3. Signature
The signature verifies that the token hasn't been modified.
It is generated using:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
Only the server knows the secret key used to generate the signature.
How JWT Authentication Works
A typical authentication flow looks like this:
- The user logs in.
- The server validates the credentials.
- The server creates a JWT.
- The JWT is sent back to the client.
- The client stores the token.
- Every future request includes the JWT.
- The server validates the signature.
- If valid, access is granted.
This process removes the need for storing session data on the server.
Where Is JWT Used?
JWT is commonly used in:
- User authentication
- REST APIs
- Single Page Applications (React, Vue, Angular)
- Mobile applications
- OAuth 2.0
- Microservices
- API gateways
Advantages of JWT
JWT offers several important benefits:
- Stateless authentication
- Compact token size
- Fast verification
- Easy to use across multiple services
- Works well with mobile applications
- Ideal for distributed systems
JWT vs Sessions
| JWT | Sessions |
|---|---|
| Stored on the client | Stored on the server |
| Stateless | Stateful |
| Better for APIs | Better for traditional websites |
| Easy to scale | Requires session storage |
Both approaches are valid depending on your application's needs.
Is JWT Secure?
JWT can be very secure when implemented correctly.
Best practices include:
- Always use HTTPS.
- Set expiration times.
- Never store sensitive information inside the payload.
- Use strong signing algorithms.
- Rotate secret keys when necessary.
- Validate every incoming token.
Common Mistakes
Many beginners make these mistakes:
- Storing passwords inside JWTs
- Forgetting token expiration
- Not validating the signature
- Using weak secrets
- Sending tokens over HTTP instead of HTTPS
Avoiding these mistakes greatly improves application security.
Example JWT
A typical JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ1c2VySWQiOjE1LCJyb2xlIjoiYWRtaW4ifQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Although it appears random, each section represents the Header, Payload, and Signature.
Conclusion
JWT is one of the most widely used authentication technologies in modern web development. It provides a compact, secure, and scalable way to transmit user information between clients and servers.
Understanding how JWT works is essential for anyone building APIs, web applications, or mobile apps. When combined with HTTPS, proper validation, and secure signing, JWT becomes a powerful solution for authentication and authorization.