About JSON Web Tokens
- Header: Contains token type (typ) and signing algorithm (alg)
- Payload: Contains the claims (data) - subject, expiration, custom data, etc.
- Signature: Cryptographic signature to verify token integrity
- Format: Three Base64-URL encoded parts separated by dots (header.payload.signature)
Common Claims
- iss (Issuer): Who issued the token
- sub (Subject): Who the token is about (usually user ID)
- aud (Audience): Who the token is intended for
- exp (Expiration): When the token expires (Unix timestamp)
- iat (Issued At): When the token was issued (Unix timestamp)
- nbf (Not Before): Token not valid before this time
Security Notes
- JWTs are signed but not encrypted - anyone can decode and read the contents
- Never put sensitive information (passwords, credit cards) in JWT payloads
- Always verify the signature on the server side
- Use strong signing algorithms (RS256, ES256) for production
- All decoding happens locally in your browser - no data is sent to any server