A JSON Web Token (JWT) is a compact, URL-safe token consisting of three Base64url-encoded sections separated by dots: a header, a payload, and a signature. It is used to transmit claims between parties in a way that can be verified and trusted.

Is the data inside a JWT encrypted?

No. The header and payload are Base64url-encoded, not encrypted. Anyone who holds the token can decode and read the payload. Never store sensitive data like passwords or payment details in a JWT payload.

What is the difference between HS256 and RS256?

HS256 uses a shared secret key — the same key signs and verifies the token. RS256 uses an asymmetric RSA key pair — a private key signs, and a public key verifies. RS256 is preferred when the verifier should not be able to issue new tokens.

Should I store a JWT in localStorage or a cookie?

HttpOnly cookies are generally safer. localStorage is accessible to JavaScript, making tokens vulnerable to XSS attacks. An HttpOnly cookie cannot be read by JavaScript and is automatically sent with same-origin requests.

← Learn

How Do JWTs Work? JSON Web Tokens Explained

Updated 14 May 2026

A JWT is a compact, self-contained token used to securely transmit information between parties. Learn how the three parts work, how HMAC signatures are verified, and when to use — or avoid — JWTs.

The one-sentence explanation

A JWT is a string that looks like gibberish but is actually three Base64url-encoded JSON objects separated by dots — a header, a payload, and a signature — that together let a server verify a claim without storing any state.

What a JWT looks like

A JWT has three parts separated by dots. Each part is Base64url-encoded:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header Payload Signature

The three parts explained

1. Header

The header declares the token type and the signing algorithm. Decoded, it looks like:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

The payload contains claims — statements about the user or token. Standard claims include:

Claim	Name	Meaning
sub	Subject	Who the token is about (e.g. a user ID)
iss	Issuer	Who issued the token (e.g. your auth server)
exp	Expiry	Unix timestamp after which the token is invalid
iat	Issued at	Unix timestamp when the token was created
aud	Audience	Who the token is intended for

Important: The payload is Base64url-encoded, not encrypted. Anyone who holds the token can decode and read it. Never put passwords, credit card numbers, or other secrets in the payload.

3. Signature

The signature proves the token has not been tampered with. For HS256 it is calculated as:

HMAC-SHA256(
  base64url(header) + "." + base64url(payload),
  secret
)

To verify a token, the server re-runs this calculation with its secret and compares the result to the signature in the token. If they match, the payload has not been modified.

Signing algorithms — HS256 vs RS256

Algorithm	Type	Key	When to use
HS256 / HS384 / HS512	HMAC (symmetric)	Shared secret	Single service that both issues and verifies tokens
RS256 / RS384 / RS512	RSA (asymmetric)	Private key signs, public key verifies	Multiple services verify tokens but only one issues them
ES256	ECDSA (asymmetric)	Private key signs, public key verifies	Same as RS256 but smaller key and signature size

The number in the algorithm name refers to the SHA hash size. HS256 uses SHA-256, HS512 uses SHA-512. A larger hash provides more security margin but produces a slightly longer signature.

How JWT authentication works in practice

User logs in with their credentials. The server validates them.
The server creates a JWT with claims like sub (user ID) and exp (expiry), signs it with a secret, and returns it to the client.
The client stores the token (ideally in an HttpOnly cookie) and sends it with every subsequent request in the Authorization: Bearer <token> header.
The server verifies the signature and checks exp. If valid, it trusts the claims in the payload without hitting a database.

This is the key benefit: the server does not need to look up session state on every request. The token is self-contained.

When not to use JWTs

You need to invalidate tokens immediately — a JWT is valid until it expires. If a user logs out or is banned, the token remains valid until expiry unless you maintain a deny-list, which negates the stateless benefit.
The token is stored in localStorage — any XSS vulnerability on your page can steal a localStorage token. Prefer HttpOnly cookies.
The payload contains sensitive data — remember, the payload is readable by anyone who holds the token. Use opaque session IDs instead if you need to keep claims private.
Simple single-server applications — if you have one server and a database, a standard session cookie is simpler and just as effective.

Related guides

Decode, verify, and sign JWTs in your browser

Inspect any token instantly — nothing is sent to a server

Open JWT Tool →