JWT — Explained with Examples
JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting claims between parties as a JSON object with optional signing.
JWT stands for JSON Web Token, defined by RFC 7519. It’s widely used for authentication, authorization, and secure information exchange in web applications.
JWT Structure
A JWT consists of three parts separated by dots: Header, Payload, and Signature.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c// Header — algorithm and token type
{
"alg": "HS256",
"typ": "JWT"
}
// Payload — claims (data)
{
"sub": "1234567890",
"name": "Alice",
"iat": 1516239022
}The signature is created by combining the encoded header and payload with a secret key using the specified algorithm.
Real-World Analogy
A JWT is like a stamped, sealed envelope. The header is the envelope’s outer markings (stamp, return address), the payload is the letter inside, and the signature is the wax seal. Anyone can read the letter (payload is base64-encoded, not encrypted), but only the sender with the secret key can create a valid seal. Tampering breaks the seal.
Stateless Authentication
JWTs enable stateless auth: the server signs the token, the client stores it, and the server verifies it on each request without session storage.
const jwt = require('jsonwebtoken');
// Sign a token
const token = jwt.sign(
{ userId: 1, role: 'admin' },
'your-secret-key',
{ expiresIn: '1h' }
);
// Verify a token
try {
const decoded = jwt.verify(token, 'your-secret-key');
console.log('Valid:', decoded); // { userId: 1, role: 'admin', iat: ..., exp: ... }
} catch (err) {
console.log('Invalid token');
}Related Terms
OAuth, SSO, Authentication vs Authorization, HTTP, REST
Related Tutorial
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro