What Is a JWT Token? A Simple Explanation for Developers

JWT tokens show up in headers, cookies, and local storage. They look like random gibberish, but they're actually not random at all.

If you're building anything on the web that requires users to log in, you've probably seen JWT tokens. They show up in headers, cookies, and local storage. They look like random gibberish:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

But they're actually not random at all. There's a clear structure hiding in there.

Three parts, separated by dots

A JWT has three sections:

Header — Tells you the token type (JWT) and the signing algorithm (like HS256 or RS256).

Payload — The actual data. User ID, name, email, roles, expiration time — whatever the server decided to include.

Signature — A cryptographic hash that proves the token hasn't been tampered with. The server creates this using a secret key.

How authentication works with JWT

The flow is straightforward: you log in with your credentials, the server verifies them and creates a JWT containing your user info. From then on, your browser sends that JWT with every request. The server validates the signature and reads your info from the token — no need to query the database for every request.

Why not just use sessions?

Traditional sessions store user data on the server. JWTs store it in the token itself. The advantage? JWTs are stateless — the server doesn't need to maintain session storage. This matters when you have multiple servers behind a load balancer, or when you're building APIs consumed by mobile apps.

Security considerations

JWTs are not encrypted by default. The payload is only Base64-encoded, which means anyone can read it. Never put sensitive data (passwords, SSNs) in a JWT payload.

Always check expiration. JWTs should have short lifetimes (15 minutes to a few hours). Use refresh tokens for longer sessions.

Store tokens carefully. Storing JWTs in localStorage makes them vulnerable to XSS attacks. HttpOnly cookies are generally safer.

Decoding JWTs

When you're debugging authentication issues, being able to quickly see what's inside a JWT is invaluable. Toolozo's JWT Decoder lets you paste a token and instantly see the header, payload, and expiration details. Everything runs locally — the token never leaves your browser, which is important since JWTs contain sensitive authentication data.