|||||
SyncBuilder
Back to the blog
AuthJuly 16, 2026·1 min read

What is a JWT? A plain-language guide to JSON Web Tokens

By SyncBuilder

A JWT (JSON Web Token) is a compact, URL-safe token that is widely used for authentication and for passing claims between services. If you have ever logged into an app and stayed signed in, there is a good chance a JWT was involved behind the scenes.

The three parts of a JWT

A JWT is made of three base64url-encoded parts separated by dots: the header, the payload and the signature. The header names the algorithm used to sign the token, the payload holds the claims, and the signature lets the receiver verify that the token was not tampered with.

Common claims you will see

  • sub - the subject, usually the user the token represents
  • exp - the expiry time, after which the token is no longer valid
  • iat - issued at, the time the token was created
  • nbf - not before, the time the token becomes valid
  • iss - the issuer that created and signed the token

Important: base64url is encoding, not encryption. Anyone can read a JWT payload, so never put secrets in it. Decoding a token is also not the same as verifying it. The signature must be checked on the server with the secret or public key.

Want to look inside a token right now? Our free JWT Decoder reads the header, payload and expiry entirely in your browser, so the token never leaves your machine. Note that it decodes rather than verifies, so it does not check the signature.

Try the free tool

Open tool