


What is JWT?
JSON Web Tokens (JWTs) are a standardized way to securely send data between two parties. They contain information (claims) encoded in the JSON format. These claims help share specific details between the parties involved.
At its core, a JWT is a mechanism for verifying the authenticity of some JSON data. This is possible because each JWT is signed using cryptography to guarantee that its contents have not been tampered with during transmission or storage.
It’s important to note that a JWT guarantees data ownership but not encryption. The reason is that the JWT can be seen by anyone who intercepts the token because it’s serialized, not encrypted.
It is strongly advised to use JWTs with HTTPS, a practice that extends to general web security. HTTPS not only safeguards the confidentiality of JWT contents during transmission but also provides a broader layer of protection for data in transit.
A JWT is just a string that looks like this:xxxxx.yyyyy.zzzzz
It has 3 parts:
Header – says the token type (JWT) and algorithm used (like HS256).
Payload – contains the actual data (like user ID, role, or permissions).
Signature – ensures the token wasn’t changed by anyone.
JSON Web Tokens (JWTs) are a standardized way to securely send data between two parties. They contain information (claims) encoded in the JSON format. These claims help share specific details between the parties involved.
At its core, a JWT is a mechanism for verifying the authenticity of some JSON data. This is possible because each JWT is signed using cryptography to guarantee that its contents have not been tampered with during transmission or storage.
It’s important to note that a JWT guarantees data ownership but not encryption. The reason is that the JWT can be seen by anyone who intercepts the token because it’s serialized, not encrypted.
It is strongly advised to use JWTs with HTTPS, a practice that extends to general web security. HTTPS not only safeguards the confidentiality of JWT contents during transmission but also provides a broader layer of protection for data in transit.
A JWT is just a string that looks like this:xxxxx.yyyyy.zzzzz
It has 3 parts:
Header – says the token type (JWT) and algorithm used (like HS256).
Payload – contains the actual data (like user ID, role, or permissions).
Signature – ensures the token wasn’t changed by anyone.
JSON Web Tokens (JWTs) are a standardized way to securely send data between two parties. They contain information (claims) encoded in the JSON format. These claims help share specific details between the parties involved.
At its core, a JWT is a mechanism for verifying the authenticity of some JSON data. This is possible because each JWT is signed using cryptography to guarantee that its contents have not been tampered with during transmission or storage.
It’s important to note that a JWT guarantees data ownership but not encryption. The reason is that the JWT can be seen by anyone who intercepts the token because it’s serialized, not encrypted.
It is strongly advised to use JWTs with HTTPS, a practice that extends to general web security. HTTPS not only safeguards the confidentiality of JWT contents during transmission but also provides a broader layer of protection for data in transit.
A JWT is just a string that looks like this:xxxxx.yyyyy.zzzzz
It has 3 parts:
Header – says the token type (JWT) and algorithm used (like HS256).
Payload – contains the actual data (like user ID, role, or permissions).
Signature – ensures the token wasn’t changed by anyone.
How Does JWT Work?
1. User Logs In
A user enters username & password.
The server verifies the credentials.
If correct, the server creates a JWT containing user info (e.g.,
userId: 123, role: "admin"
) and signs it with a secret key.
2. Token Sent to Client
The JWT is sent back to the client (usually in a login response).
Client stores it safely (localStorage, sessionStorage, or cookies).
3. Client Sends JWT with Requests
For every request to a protected API, the client sends the JWT in the Authorization header like this:
Authorization: Bearer <JWT>
Authorization: Bearer <JWT
4. Server Verifies JWT
The server receives the token.
It checks the signature using the secret key:
If valid → it trusts the data inside (like user role).
If invalid → rejects the request (401 Unauthorized).
5. Access Granted or Denied
If the token is valid and the user has the right permissions, → server allows access.
If not, → server denies access.

Example:
User logs in → gets JWT:
{ "userId": 123, "role": "admin" }
User calls
/admin/dashboard
with the token.Server checks role = "admin".
Access granted.
1. User Logs In
A user enters username & password.
The server verifies the credentials.
If correct, the server creates a JWT containing user info (e.g.,
userId: 123, role: "admin"
) and signs it with a secret key.
2. Token Sent to Client
The JWT is sent back to the client (usually in a login response).
Client stores it safely (localStorage, sessionStorage, or cookies).
3. Client Sends JWT with Requests
For every request to a protected API, the client sends the JWT in the Authorization header like this:
Authorization: Bearer <JWT>
Authorization: Bearer <JWT
4. Server Verifies JWT
The server receives the token.
It checks the signature using the secret key:
If valid → it trusts the data inside (like user role).
If invalid → rejects the request (401 Unauthorized).
5. Access Granted or Denied
If the token is valid and the user has the right permissions, → server allows access.
If not, → server denies access.

Example:
User logs in → gets JWT:
{ "userId": 123, "role": "admin" }
User calls
/admin/dashboard
with the token.Server checks role = "admin".
Access granted.
1. User Logs In
A user enters username & password.
The server verifies the credentials.
If correct, the server creates a JWT containing user info (e.g.,
userId: 123, role: "admin"
) and signs it with a secret key.
2. Token Sent to Client
The JWT is sent back to the client (usually in a login response).
Client stores it safely (localStorage, sessionStorage, or cookies).
3. Client Sends JWT with Requests
For every request to a protected API, the client sends the JWT in the Authorization header like this:
Authorization: Bearer <JWT>
Authorization: Bearer <JWT
4. Server Verifies JWT
The server receives the token.
It checks the signature using the secret key:
If valid → it trusts the data inside (like user role).
If invalid → rejects the request (401 Unauthorized).
5. Access Granted or Denied
If the token is valid and the user has the right permissions, → server allows access.
If not, → server denies access.

Example:
User logs in → gets JWT:
{ "userId": 123, "role": "admin" }
User calls
/admin/dashboard
with the token.Server checks role = "admin".
Access granted.

Ship bug-free software, 200% faster, in 20% testing budget. No coding required

Ship bug-free software, 200% faster, in 20% testing budget. No coding required

Ship bug-free software, 200% faster, in 20% testing budget. No coding required
Structure of JWT
The structure of a JWT (JSON Web Token) is made up of three main parts, separated by dots (.
):
Header
Contains metadata about the token, such as the type of token (
JWT
) and the signing algorithm used (e.g.,HS256
,RS256
).Example:
{
"alg": "HS256",
"typ": "JWT"
}
{ "alg": "HS256", "typ": "JWT" }
Payload
Contains the actual data (called claims) that the token carries.
Claims can be about the user (like
user_id
,role
) or token metadata (like expiration time).Example:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1694102400
}
{ "sub": "1234567890", "name": "John Doe", "admin": true, "exp": 1694102400 }
Signature
Created by taking the encoded header + encoded payload, then applying the secret key with the specified algorithm.
Ensures that the token hasn’t been tampered with.
Formula:
Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Final JWT looks like this:
xxxxx.yyyyy.zzzzz
xxxxx.yyyyy.zzzzz
xxxxx
→ Encoded Headeryyyyy
→ Encoded Payloadzzzzz
→ Signature

JWT example step by step:
1. Header (before encoding)
{
"alg": "HS256",
"typ": "JWT"
}
{
"alg": "HS256",
"typ": "JWT"
}
After Base64Url encoding →
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
2. Payload (before encoding)
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1716000000
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1716000000
}
After Base64Url encoding →
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0
3. Signature
We combine:
Base64UrlEncode(Header) + "." + Base64UrlEncode(Payload)
Then hash it with HMACSHA256 and a secret key (e.g., mysecretkey
).
Example result:
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Final JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
{The first two parts can be decoded back to JSON (header + payload), but the signature can only be verified with the secret key. That’s how JWT ensures integrity and trust.}
The structure of a JWT (JSON Web Token) is made up of three main parts, separated by dots (.
):
Header
Contains metadata about the token, such as the type of token (
JWT
) and the signing algorithm used (e.g.,HS256
,RS256
).Example:
{
"alg": "HS256",
"typ": "JWT"
}
{ "alg": "HS256", "typ": "JWT" }
Payload
Contains the actual data (called claims) that the token carries.
Claims can be about the user (like
user_id
,role
) or token metadata (like expiration time).Example:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1694102400
}
{ "sub": "1234567890", "name": "John Doe", "admin": true, "exp": 1694102400 }
Signature
Created by taking the encoded header + encoded payload, then applying the secret key with the specified algorithm.
Ensures that the token hasn’t been tampered with.
Formula:
Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Final JWT looks like this:
xxxxx.yyyyy.zzzzz
xxxxx.yyyyy.zzzzz
xxxxx
→ Encoded Headeryyyyy
→ Encoded Payloadzzzzz
→ Signature

JWT example step by step:
1. Header (before encoding)
{
"alg": "HS256",
"typ": "JWT"
}
{
"alg": "HS256",
"typ": "JWT"
}
After Base64Url encoding →
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
2. Payload (before encoding)
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1716000000
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1716000000
}
After Base64Url encoding →
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0
3. Signature
We combine:
Base64UrlEncode(Header) + "." + Base64UrlEncode(Payload)
Then hash it with HMACSHA256 and a secret key (e.g., mysecretkey
).
Example result:
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Final JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
{The first two parts can be decoded back to JSON (header + payload), but the signature can only be verified with the secret key. That’s how JWT ensures integrity and trust.}
The structure of a JWT (JSON Web Token) is made up of three main parts, separated by dots (.
):
Header
Contains metadata about the token, such as the type of token (
JWT
) and the signing algorithm used (e.g.,HS256
,RS256
).Example:
{
"alg": "HS256",
"typ": "JWT"
}
{ "alg": "HS256", "typ": "JWT" }
Payload
Contains the actual data (called claims) that the token carries.
Claims can be about the user (like
user_id
,role
) or token metadata (like expiration time).Example:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1694102400
}
{ "sub": "1234567890", "name": "John Doe", "admin": true, "exp": 1694102400 }
Signature
Created by taking the encoded header + encoded payload, then applying the secret key with the specified algorithm.
Ensures that the token hasn’t been tampered with.
Formula:
Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Final JWT looks like this:
xxxxx.yyyyy.zzzzz
xxxxx.yyyyy.zzzzz
xxxxx
→ Encoded Headeryyyyy
→ Encoded Payloadzzzzz
→ Signature

JWT example step by step:
1. Header (before encoding)
{
"alg": "HS256",
"typ": "JWT"
}
{
"alg": "HS256",
"typ": "JWT"
}
After Base64Url encoding →
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
2. Payload (before encoding)
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1716000000
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1716000000
}
After Base64Url encoding →
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0
3. Signature
We combine:
Base64UrlEncode(Header) + "." + Base64UrlEncode(Payload)
Then hash it with HMACSHA256 and a secret key (e.g., mysecretkey
).
Example result:
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Final JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTcxNjAwMDAwMH0.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
{The first two parts can be decoded back to JSON (header + payload), but the signature can only be verified with the secret key. That’s how JWT ensures integrity and trust.}
Benefits of JWT
The main benefits of using JWT (JSON Web Token):
Stateless Authentication
JWTs don’t require storing session data on the server.
The server just verifies the token, making it scalable and efficient.
Compact and Fast
JWTs are small in size (JSON format), so they can be easily sent in headers, URLs, or cookies.
This makes them fast to transmit between client and server.
Secure (When Used Correctly)
JWTs are signed using algorithms like HMAC or RSA, ensuring data integrity.
They can’t be tampered with unless the secret/private key is known.
Cross-Domain / Cross-Platform Support
JWTs work well in distributed systems, microservices, and APIs.
They can be used across mobile apps, web apps, and different domains.
Self-Contained
JWTs carry all the necessary user information (claims) inside the token.
This reduces repeated database lookups for authentication.
Flexibility
JWTs can store custom data (roles, permissions, expiration time).
Useful for access control and fine-grained security.
Widely Adopted
JWT is a standard (RFC 7519), supported by many libraries, frameworks, and languages.
In short: JWTs make authentication simpler, faster, and scalable for modern web and mobile applications.
The main benefits of using JWT (JSON Web Token):
Stateless Authentication
JWTs don’t require storing session data on the server.
The server just verifies the token, making it scalable and efficient.
Compact and Fast
JWTs are small in size (JSON format), so they can be easily sent in headers, URLs, or cookies.
This makes them fast to transmit between client and server.
Secure (When Used Correctly)
JWTs are signed using algorithms like HMAC or RSA, ensuring data integrity.
They can’t be tampered with unless the secret/private key is known.
Cross-Domain / Cross-Platform Support
JWTs work well in distributed systems, microservices, and APIs.
They can be used across mobile apps, web apps, and different domains.
Self-Contained
JWTs carry all the necessary user information (claims) inside the token.
This reduces repeated database lookups for authentication.
Flexibility
JWTs can store custom data (roles, permissions, expiration time).
Useful for access control and fine-grained security.
Widely Adopted
JWT is a standard (RFC 7519), supported by many libraries, frameworks, and languages.
In short: JWTs make authentication simpler, faster, and scalable for modern web and mobile applications.
The main benefits of using JWT (JSON Web Token):
Stateless Authentication
JWTs don’t require storing session data on the server.
The server just verifies the token, making it scalable and efficient.
Compact and Fast
JWTs are small in size (JSON format), so they can be easily sent in headers, URLs, or cookies.
This makes them fast to transmit between client and server.
Secure (When Used Correctly)
JWTs are signed using algorithms like HMAC or RSA, ensuring data integrity.
They can’t be tampered with unless the secret/private key is known.
Cross-Domain / Cross-Platform Support
JWTs work well in distributed systems, microservices, and APIs.
They can be used across mobile apps, web apps, and different domains.
Self-Contained
JWTs carry all the necessary user information (claims) inside the token.
This reduces repeated database lookups for authentication.
Flexibility
JWTs can store custom data (roles, permissions, expiration time).
Useful for access control and fine-grained security.
Widely Adopted
JWT is a standard (RFC 7519), supported by many libraries, frameworks, and languages.
In short: JWTs make authentication simpler, faster, and scalable for modern web and mobile applications.
Conclusion
Building and maintaining a proper API inventory and using secure authentication methods like JWT are no longer optional — they’re essential for modern organizations. An updated API inventory gives businesses visibility, improves compliance, and strengthens security by ensuring no API goes unnoticed. At the same time, JWT provides a scalable and secure way to handle authentication, making applications faster and easier to manage.
By combining strong API management with reliable authentication, organizations can protect their digital assets, reduce risks, and improve efficiency. At Qodex.ai, we believe that security and simplicity should go hand in hand — empowering businesses to innovate without compromising safety.
Building and maintaining a proper API inventory and using secure authentication methods like JWT are no longer optional — they’re essential for modern organizations. An updated API inventory gives businesses visibility, improves compliance, and strengthens security by ensuring no API goes unnoticed. At the same time, JWT provides a scalable and secure way to handle authentication, making applications faster and easier to manage.
By combining strong API management with reliable authentication, organizations can protect their digital assets, reduce risks, and improve efficiency. At Qodex.ai, we believe that security and simplicity should go hand in hand — empowering businesses to innovate without compromising safety.
Building and maintaining a proper API inventory and using secure authentication methods like JWT are no longer optional — they’re essential for modern organizations. An updated API inventory gives businesses visibility, improves compliance, and strengthens security by ensuring no API goes unnoticed. At the same time, JWT provides a scalable and secure way to handle authentication, making applications faster and easier to manage.
By combining strong API management with reliable authentication, organizations can protect their digital assets, reduce risks, and improve efficiency. At Qodex.ai, we believe that security and simplicity should go hand in hand — empowering businesses to innovate without compromising safety.
FAQs
Why should you choose Qodex.ai?
Why should you choose Qodex.ai?
Why should you choose Qodex.ai?
How can I validate an email address using Python regex?
How can I validate an email address using Python regex?
How can I validate an email address using Python regex?
What is Go Regex Tester?
What is Go Regex Tester?
What is Go Regex Tester?
Remommended posts
Discover, Test, and Secure your APIs — 10x Faster.

Product
All Rights Reserved.
Copyright © 2025 Qodex
Discover, Test, and Secure your APIs — 10x Faster.

Product
All Rights Reserved.
Copyright © 2025 Qodex
Discover, Test, and Secure your APIs — 10x Faster.

Product
All Rights Reserved.
Copyright © 2025 Qodex