UtilityBase logoUtilityBase

2 min read

How JWT Authentication Works

What the three dot-separated parts of a JWT contain, why anyone can read one but only the server can trust it, and the safety rules for handling real tokens.

Three parts, separated by dots

A JSON Web Token is three Base64URL-encoded segments joined by dots: header.payload.signature. The header names the signing algorithm (like HS256 or RS256) and the token type. The payload holds the claims — the actual data, such as who the user is and when the token expires. The signature is a cryptographic seal over the first two parts, created with a secret or private key the server holds.

Because the first two parts are only encoded, not encrypted, anyone can decode and read them. That's by design: the token is meant to be read by the client and the server alike. What stops tampering isn't secrecy but the signature — change a single character in the payload and the signature no longer matches, so the server rejects it. A JWT is a tamper-evident envelope, not a locked box.

Claims: what's inside the payload

The payload is a small JSON object of claims. Registered claims have standard short names: sub (subject — usually the user ID), iss (issuer), aud (audience), exp (expiration time as a Unix timestamp), and iat (issued-at). Applications add their own claims too, like a role or permission set, so the server can make authorization decisions without a database lookup on every request.

The exp claim is the one to watch. It's a Unix timestamp after which the token is invalid, and it's why sessions expire. Because the payload is readable, you can decode a token and check its exp to see exactly when it dies — useful when debugging a login that keeps dropping. Just remember that a client reading exp is informational; the server independently enforces it during verification.

  1. 1Copy the token — but only a test or expired one, never a live production token.
  2. 2Paste it into the JWT Decoder to split it into header, payload, and signature.
  3. 3Read the payload claims: check sub, the role, and especially exp.
  4. 4Convert the exp timestamp to a readable date to see when the token expires.
  5. 5Note that the decoder shows the contents but does not — and cannot — prove the signature is valid without the key.

Decoding is not verifying — and a safety rule

This is the concept people miss: reading a JWT tells you what it claims, not whether those claims are trustworthy. Verification is a separate step where the server recomputes the signature using its secret (HS256) or the issuer's public key (RS256) and checks it matches, then confirms exp hasn't passed and the issuer and audience are expected. Only after verification should any claim be trusted. A decoder that just splits and Base64-decodes the token has verified nothing.

That leads to a practical safety rule: never paste a real, active token into an online decoder that sends it to a server, because a valid token is a live credential — whoever holds it can impersonate you until it expires. Prefer a decoder that runs entirely in your browser (this one does), or use expired and test tokens. Treat a JWT like a password you can read: harmless to inspect locally, dangerous to hand to a stranger.

Frequently asked questions

Is the data in a JWT encrypted?

No. The header and payload are Base64URL-encoded, not encrypted, so anyone can decode and read them. The signature prevents tampering, not reading. Never put secrets in a JWT payload — assume the client and anyone who intercepts the token can see every claim.

Why can a decoder show my token's contents without a key?

Because decoding just reverses the Base64URL encoding of the header and payload, which needs no key. Verifying the signature is what requires the secret or public key. That's the whole 'decode is not verify' point: readable does not mean trusted.

Is it safe to paste a token into an online JWT decoder?

Only if it's expired or a test token, or if the decoder runs entirely in your browser. An active token is a working credential; sending it to someone else's server hands them the ability to impersonate you until it expires. Prefer client-side tools and avoid pasting live tokens.

Tools mentioned in this guide

Keep reading