What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe token format used to transmit claims between systems, most commonly for authentication and API access.
JWT support
JWT FAQs
Clear explanations of how JSON Web Tokens work, what decoded claims mean, how signatures are verified, and how to use JWTs securely.
What are the parts of a JWT?
A JWT consists of three parts: a header, a payload, and a signature. These are Base64URL-encoded and separated by dots.
What does decoding a JWT do?
Decoding a JWT reveals the header and payload contents in readable JSON format. It does not verify the signature or confirm authenticity.
Does decoding a JWT verify it?
No. Decoding only shows the data inside the token. Verification requires validating the signature using a secret or public key.
Are JWTs encrypted?
No. Standard JWTs are not encrypted. They are Base64URL-encoded, which is reversible and provides no confidentiality.
Is it safe to store sensitive data in a JWT?
No. Because JWT payloads are readable, sensitive data such as passwords or personal information should never be stored inside a JWT.
What are JWT claims?
Claims are key-value pairs inside the JWT payload that describe information such as user identity, permissions, issuer, and expiration time.
What are registered JWT claims?
Registered claims are standardised fields such as iss (issuer), sub (subject), aud (audience), exp (expiration), and iat (issued at).
Can JWTs contain custom claims?
Yes. Applications often include custom claims, but they should be kept minimal to reduce token size and exposure.
What does the exp claim mean?
The exp claim defines the time after which the JWT should no longer be accepted. Tokens should always be checked for expiry.
What happens when a JWT expires?
Once expired, a JWT should be rejected. Applications typically issue a new token using a refresh token or re-authentication.
How are JWTs signed?
JWTs are signed using cryptographic algorithms such as HS256 (shared secret) or RS256 (public/private key pair) to ensure integrity.
What is the difference between HS256 and RS256?
HS256 uses a shared secret for signing and verification, while RS256 uses asymmetric keys, allowing verification without exposing the signing key.
Are JWTs secure by default?
JWTs are secure only when properly implemented. Incorrect validation, weak secrets, or accepting unsigned tokens can lead to serious vulnerabilities.
Can JWTs be revoked?
JWTs cannot be revoked easily once issued. Revocation usually requires short expiration times or server-side token tracking.
Where should JWTs be stored?
JWTs should be stored securely, typically in HTTP-only cookies or secure storage mechanisms, to reduce exposure to XSS attacks.
What are common JWT implementation mistakes?
Common mistakes include trusting decoded tokens without verification, using weak secrets, storing sensitive data, and setting long expiration times.
How do JWTs differ from traditional sessions?
JWTs are stateless and self-contained, while traditional sessions rely on server-side storage and session identifiers.
When should JWTs be used?
JWTs are best suited for stateless authentication, API access, and distributed systems where server-side session storage is impractical.
Does decoding a JWT affect privacy?
Decoding does not modify the token or contact external systems, but JWT contents may expose user data if shared improperly.
Does Velohost store JWTs or decoded data?
No. JWT decoding is performed live. No tokens, payloads, or results are stored or logged.
Want to try it yourself? Use the JWT decoder or Understand Base64 encoding
Ready to decode a JWT?