JWT

JWT (JSON Web Token, pronounced “jot”) is a token format defined in RFC 7519 for transmitting signed claims between parties. A JWT is three base64url-encoded segments separated by dots: header.payload.signature.

The header declares the signing algorithm (HS256, RS256, ES256, etc.). The payload is a JSON object of claims — sub (subject), iss (issuer), exp (expiry), iat (issued at), plus any application-specific fields. The signature is computed over base64url(header) + "." + base64url(payload) using the algorithm and key declared in the header.

JWTs are used for stateless authentication (the server doesn’t need to store sessions; it verifies the signature on each request), inter-service authorization (OAuth 2.0 bearer tokens, OpenID Connect ID tokens), and short-lived URLs that encode access claims.

Common pitfalls: trusting alg: none, accepting symmetric-keyed tokens where asymmetric was expected, not validating exp. The JWT decoder inspects a token’s contents — it doesn’t verify the signature, because verification requires the issuer’s key.