JSON Web Token (JWT)
A JWT is a compact, signed token (header, payload, signature) that carries claims like who the user is and when the token expires, so a server can verify a session without a database lookup.
also: JWT · json web token · bearer token
A JWT is three base64url parts separated by dots: a header naming the algorithm, a payload of claims (subject, issued-at, expiry, roles), and a signature over the first two. Because the signature proves the token has not been tampered with, the server can trust the claims after a quick signature check, which is what makes JWTs popular for stateless auth across APIs and services.
Two things trip people up. First, the payload is encoded, not encrypted: anyone can read it, so never put secrets in a JWT. Second, statelessness cuts both ways, because you cannot easily revoke a JWT before it expires, so keep lifetimes short and pair them with a refresh-token flow. And always verify the signature and the algorithm server-side, because trusting the token's own 'alg' field (including 'none') is a classic and serious vulnerability.
related_terms
faq
Questions & answers
- Is the data in a JWT encrypted?
- No. The payload is base64url-encoded, which is reversible, so anyone holding the token can read its claims. The signature only guarantees the token has not been altered, not that it is private. Never store secrets or sensitive personal data in a JWT unless you separately encrypt it.
- Can you revoke a JWT?
- Not easily, because a valid signature is accepted until the token expires without any server-side lookup. The practical answers are short expiry times with refresh tokens, or a server-side denylist of revoked token ids, which reintroduces the state JWTs were meant to avoid. Match the approach to how fast you need revocation.
Want this applied to your stack, not just defined?
The free tools run the numbers; an audit tells you where the real cost and risk are. Book a call, or leave your email and I'll reach out.
Prefer proof first? See how this plays out in real case studies →