Back to Blog

JWT (JSON Web Tokens)

Shreya Srivastava

Mar 18, 2024

What is JWT?

JSON Web Tokens (JWTs) are a standardized way to securely send data between two parties. They contain information (claims) encoded in the JSON format. These claims help share specific details between the parties involved.

At its core, a JWT is a mechanism for verifying the authenticity of some JSON data. This is possible because each JWT is signed using cryptography to guarantee that its contents have not been tampered with during transmission or storage.

It’s important to note that a JWT guarantees data ownership but not encryption. The reason is that the JWT can be seen by anyone who intercepts the token because it’s serialized, not encrypted.

It is strongly advised to use JWTs with HTTPS, a practice that extends to general web security. HTTPS not only safeguards the confidentiality of JWT contents during transmission but also provides a broader layer of protection for data in transit.

A JWT is just a string that looks like this:
xxxxx.yyyyy.zzzzz

It has 3 parts:

Header – says the token type (JWT) and algorithm used (like HS256).
Payload – contains the actual data (like user ID, role, or permissions).
Signature – ensures the token wasn’t changed by anyone.

It’s important to note that a JWT guarantees data ownership but not encryption. The reason is that the JWT can be seen by anyone who intercepts the token because it’s serialized, not encrypted.

A JWT is just a string that looks like this:
xxxxx.yyyyy.zzzzz

It has 3 parts:

Header – says the token type (JWT) and algorithm used (like HS256).
Payload – contains the actual data (like user ID, role, or permissions).
Signature – ensures the token wasn’t changed by anyone.

It’s important to note that a JWT guarantees data ownership but not encryption. The reason is that the JWT can be seen by anyone who intercepts the token because it’s serialized, not encrypted.

A JWT is just a string that looks like this:
xxxxx.yyyyy.zzzzz

It has 3 parts:

Header – says the token type (JWT) and algorithm used (like HS256).
Payload – contains the actual data (like user ID, role, or permissions).
Signature – ensures the token wasn’t changed by anyone.

How Does JWT Work?

1. User Logs In

A user enters username & password.
The server verifies the credentials.
If correct, the server creates a JWT containing user info (e.g., userId: 123, role: "admin") and signs it with a secret key.

2. Token Sent to Client

The JWT is sent back to the client (usually in a login response).
Client stores it safely (localStorage, sessionStorage, or cookies).

3. Client Sends JWT with Requests

For every request to a protected API, the client sends the JWT in the Authorization header like this:
Authorization: Bearer <JWT>
Authorization: Bearer <JWT

4. Server Verifies JWT

The server receives the token.
It checks the signature using the secret key:
- If valid → it trusts the data inside (like user role).
- If invalid → rejects the request (401 Unauthorized).

5. Access Granted or Denied

If the token is valid and the user has the right permissions, → server allows access.
If not, → server denies access.

Example:

User logs in → gets JWT:
{ "userId": 123, "role": "admin" }
User calls /admin/dashboard with the token.
Server checks role = "admin".
Access granted.

1. User Logs In

A user enters username & password.
The server verifies the credentials.
If correct, the server creates a JWT containing user info (e.g., userId: 123, role: "admin") and signs it with a secret key.

2. Token Sent to Client

The JWT is sent back to the client (usually in a login response).
Client stores it safely (localStorage, sessionStorage, or cookies).

3. Client Sends JWT with Requests

For every request to a protected API, the client sends the JWT in the Authorization header like this:
Authorization: Bearer <JWT>
Authorization: Bearer <JWT

4. Server Verifies JWT

The server receives the token.
It checks the signature using the secret key:
- If valid → it trusts the data inside (like user role).
- If invalid → rejects the request (401 Unauthorized).

5. Access Granted or Denied

If the token is valid and the user has the right permissions, → server allows access.
If not, → server denies access.

Example:

User logs in → gets JWT:
{ "userId": 123, "role": "admin" }
User calls /admin/dashboard with the token.
Server checks role = "admin".
Access granted.

1. User Logs In

A user enters username & password.
The server verifies the credentials.
If correct, the server creates a JWT containing user info (e.g., userId: 123, role: "admin") and signs it with a secret key.

2. Token Sent to Client

The JWT is sent back to the client (usually in a login response).
Client stores it safely (localStorage, sessionStorage, or cookies).

3. Client Sends JWT with Requests

For every request to a protected API, the client sends the JWT in the Authorization header like this:
Authorization: Bearer <JWT>
Authorization: Bearer <JWT

4. Server Verifies JWT

The server receives the token.
It checks the signature using the secret key:
- If valid → it trusts the data inside (like user role).
- If invalid → rejects the request (401 Unauthorized).

5. Access Granted or Denied

If the token is valid and the user has the right permissions, → server allows access.
If not, → server denies access.

Example:

User logs in → gets JWT:
{ "userId": 123, "role": "admin" }
User calls /admin/dashboard with the token.
Server checks role = "admin".
Access granted.

Ship bug-free software, 200% faster, in 20% testing budget. No coding required

Signup for your free trial

Ship bug-free software, 200% faster, in 20% testing budget. No coding required

Signup for your free trial

Ship bug-free software, 200% faster, in 20% testing budget. No coding required

Signup for your free trial

Structure of JWT

The structure of a JWT (JSON Web Token) is made up of three main parts, separated by dots (.):

Header
- Contains metadata about the token, such as the type of token (JWT) and the signing algorithm used (e.g., HS256, RS256).
- Example:
  {
  "alg": "HS256",
  "typ": "JWT"
  }
  { "alg": "HS256", "typ": "JWT" }
Payload
- Contains the actual data (called claims) that the token carries.
- Claims can be about the user (like user_id, role) or token metadata (like expiration time).
- Example:
  {
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1694102400
  }
  { "sub": "1234567890", "name": "John Doe", "admin": true, "exp": 1694102400 }
Signature
- Created by taking the encoded header + encoded payload, then applying the secret key with the specified algorithm.
- Ensures that the token hasn’t been tampered with.
- Formula:
  Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Final JWT looks like this:

xxxxx.yyyyy.zzzzz

xxxxx.yyyyy.zzzzz

xxxxx → Encoded Header
yyyyy → Encoded Payload
zzzzz → Signature

JWT example step by step:

1. Header (before encoding)

{

"alg": "HS256",

"typ": "JWT"

}

{
  "alg": "HS256",
  "typ": "JWT"
}

After Base64Url encoding →

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

2. Payload (before encoding)

{

"sub": "1234567890",

"name": "John Doe",

"admin": true,

"exp": 1716000000

}

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1716000000
}

After Base64Url encoding →

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0

3. Signature

We combine:

Base64UrlEncode(Header) + "." + Base64UrlEncode(Payload)

Then hash it with HMACSHA256 and a secret key (e.g., mysecretkey).

Example result:

TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Final JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

{The first two parts can be decoded back to JSON (header + payload), but the signature can only be verified with the secret key. That’s how JWT ensures integrity and trust.}

The structure of a JWT (JSON Web Token) is made up of three main parts, separated by dots (.):

Header
- Contains metadata about the token, such as the type of token (JWT) and the signing algorithm used (e.g., HS256, RS256).
- Example:
  {
  "alg": "HS256",
  "typ": "JWT"
  }
  { "alg": "HS256", "typ": "JWT" }
Payload
- Contains the actual data (called claims) that the token carries.
- Claims can be about the user (like user_id, role) or token metadata (like expiration time).
- Example:
  {
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1694102400
  }
  { "sub": "1234567890", "name": "John Doe", "admin": true, "exp": 1694102400 }
Signature
- Created by taking the encoded header + encoded payload, then applying the secret key with the specified algorithm.
- Ensures that the token hasn’t been tampered with.
- Formula:
  Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Final JWT looks like this:

xxxxx.yyyyy.zzzzz

xxxxx.yyyyy.zzzzz

xxxxx → Encoded Header
yyyyy → Encoded Payload
zzzzz → Signature

JWT example step by step:

1. Header (before encoding)

{

"alg": "HS256",

"typ": "JWT"

}

{
  "alg": "HS256",
  "typ": "JWT"
}

After Base64Url encoding →

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

2. Payload (before encoding)

{

"sub": "1234567890",

"name": "John Doe",

"admin": true,

"exp": 1716000000

}

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1716000000
}

After Base64Url encoding →

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0

3. Signature

We combine:

Base64UrlEncode(Header) + "." + Base64UrlEncode(Payload)

Then hash it with HMACSHA256 and a secret key (e.g., mysecretkey).

Example result:

TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Final JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

{The first two parts can be decoded back to JSON (header + payload), but the signature can only be verified with the secret key. That’s how JWT ensures integrity and trust.}

The structure of a JWT (JSON Web Token) is made up of three main parts, separated by dots (.):

Header
- Contains metadata about the token, such as the type of token (JWT) and the signing algorithm used (e.g., HS256, RS256).
- Example:
  {
  "alg": "HS256",
  "typ": "JWT"
  }
  { "alg": "HS256", "typ": "JWT" }
Payload
- Contains the actual data (called claims) that the token carries.
- Claims can be about the user (like user_id, role) or token metadata (like expiration time).
- Example:
  {
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1694102400
  }
  { "sub": "1234567890", "name": "John Doe", "admin": true, "exp": 1694102400 }
Signature
- Created by taking the encoded header + encoded payload, then applying the secret key with the specified algorithm.
- Ensures that the token hasn’t been tampered with.
- Formula:
  Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Final JWT looks like this:

xxxxx.yyyyy.zzzzz

xxxxx.yyyyy.zzzzz

xxxxx → Encoded Header
yyyyy → Encoded Payload
zzzzz → Signature

JWT example step by step:

1. Header (before encoding)

{

"alg": "HS256",

"typ": "JWT"

}

{
  "alg": "HS256",
  "typ": "JWT"
}

After Base64Url encoding →

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

2. Payload (before encoding)

{

"sub": "1234567890",

"name": "John Doe",

"admin": true,

"exp": 1716000000

}

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1716000000
}

After Base64Url encoding →

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0

3. Signature

We combine:

Base64UrlEncode(Header) + "." + Base64UrlEncode(Payload)

Then hash it with HMACSHA256 and a secret key (e.g., mysecretkey).

Example result:

TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Final JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

{The first two parts can be decoded back to JSON (header + payload), but the signature can only be verified with the secret key. That’s how JWT ensures integrity and trust.}

Benefits of JWT

The main benefits of using JWT (JSON Web Token):

Stateless Authentication
- JWTs don’t require storing session data on the server.
- The server just verifies the token, making it scalable and efficient.
Compact and Fast
- JWTs are small in size (JSON format), so they can be easily sent in headers, URLs, or cookies.
- This makes them fast to transmit between client and server.
Secure (When Used Correctly)
- JWTs are signed using algorithms like HMAC or RSA, ensuring data integrity.
- They can’t be tampered with unless the secret/private key is known.
Cross-Domain / Cross-Platform Support
- JWTs work well in distributed systems, microservices, and APIs.
- They can be used across mobile apps, web apps, and different domains.
Self-Contained
- JWTs carry all the necessary user information (claims) inside the token.
- This reduces repeated database lookups for authentication.
Flexibility
- JWTs can store custom data (roles, permissions, expiration time).
- Useful for access control and fine-grained security.
Widely Adopted
- JWT is a standard (RFC 7519), supported by many libraries, frameworks, and languages.

In short: JWTs make authentication simpler, faster, and scalable for modern web and mobile applications.

The main benefits of using JWT (JSON Web Token):

Stateless Authentication
- JWTs don’t require storing session data on the server.
- The server just verifies the token, making it scalable and efficient.
Compact and Fast
- JWTs are small in size (JSON format), so they can be easily sent in headers, URLs, or cookies.
- This makes them fast to transmit between client and server.
Secure (When Used Correctly)
- JWTs are signed using algorithms like HMAC or RSA, ensuring data integrity.
- They can’t be tampered with unless the secret/private key is known.
Cross-Domain / Cross-Platform Support
- JWTs work well in distributed systems, microservices, and APIs.
- They can be used across mobile apps, web apps, and different domains.
Self-Contained
- JWTs carry all the necessary user information (claims) inside the token.
- This reduces repeated database lookups for authentication.
Flexibility
- JWTs can store custom data (roles, permissions, expiration time).
- Useful for access control and fine-grained security.
Widely Adopted
- JWT is a standard (RFC 7519), supported by many libraries, frameworks, and languages.

In short: JWTs make authentication simpler, faster, and scalable for modern web and mobile applications.

The main benefits of using JWT (JSON Web Token):

Stateless Authentication
- JWTs don’t require storing session data on the server.
- The server just verifies the token, making it scalable and efficient.
Compact and Fast
- JWTs are small in size (JSON format), so they can be easily sent in headers, URLs, or cookies.
- This makes them fast to transmit between client and server.
Secure (When Used Correctly)
- JWTs are signed using algorithms like HMAC or RSA, ensuring data integrity.
- They can’t be tampered with unless the secret/private key is known.
Cross-Domain / Cross-Platform Support
- JWTs work well in distributed systems, microservices, and APIs.
- They can be used across mobile apps, web apps, and different domains.
Self-Contained
- JWTs carry all the necessary user information (claims) inside the token.
- This reduces repeated database lookups for authentication.
Flexibility
- JWTs can store custom data (roles, permissions, expiration time).
- Useful for access control and fine-grained security.
Widely Adopted
- JWT is a standard (RFC 7519), supported by many libraries, frameworks, and languages.

In short: JWTs make authentication simpler, faster, and scalable for modern web and mobile applications.

Conclusion

Building and maintaining a proper API inventory and using secure authentication methods like JWT are no longer optional — they’re essential for modern organizations. An updated API inventory gives businesses visibility, improves compliance, and strengthens security by ensuring no API goes unnoticed. At the same time, JWT provides a scalable and secure way to handle authentication, making applications faster and easier to manage.

By combining strong API management with reliable authentication, organizations can protect their digital assets, reduce risks, and improve efficiency. At Qodex.ai, we believe that security and simplicity should go hand in hand — empowering businesses to innovate without compromising safety.