JWT Tokens Explained: Structure, Security & How to Decode Them

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token used for authentication and information exchange. JWTs are the standard for modern API authentication.

JWT Structure

A JWT has three parts separated by dots:

header.payload.signature

Header — specifies the algorithm and token type:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload — contains the claims (data):

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Signature — verifies the token wasn't tampered with.

Common JWT Claims

Claim	Full Name	Purpose
sub	Subject	User ID
iat	Issued At	When token was created
exp	Expiration	When token expires
iss	Issuer	Who created the token
aud	Audience	Who the token is for
role	Role	User's permission level

### Decoding JWTs with Fluranto

The JWT Decoder tool instantly parses any JWT:

Paste your JWT token

See the decoded header, payload, and metadata

Check expiration status

Verify the token structure

Security Best Practices

• Never store JWTs in localStorage — use httpOnly cookies instead
• Set short expiration times — 15 minutes for access tokens
• Use refresh tokens — longer-lived tokens for getting new access tokens
• Validate on the server — never trust client-side token validation alone
• Use strong signing algorithms — prefer RS256 over HS256 for public APIs

JWTs Are NOT Encrypted

Critical misunderstanding: JWTs are signed, not encrypted. Anyone can decode the payload — the signature only ensures it hasn't been modified. Never put sensitive data (passwords, SSNs, credit cards) in JWT payloads.

Related Tools

• Base64 Encode/Decode — JWTs use Base64URL encoding
• Unix Timestamp Converter — decode iat and exp timestamps
• Hash Generator — understand the hashing used in signatures