A JSON Web Token (JWT) is a compact, self-contained token format used for authentication and authorization. It consists of three Base64URL-encoded parts — header, payload, and signature — separated by dots. The signature prevents tampering.

No. A standard JWT is signed, not encrypted. The payload is Base64URL-encoded, which means anyone can decode and read it. Never put sensitive data like passwords in a JWT payload. If you need encrypted tokens, use JWE (JSON Web Encryption).

Where should I store JWTs in the browser?

The safest option is an httpOnly cookie, which prevents JavaScript access and protects against XSS attacks. Storing tokens in localStorage or sessionStorage exposes them to any XSS vulnerability in your application.

How long should a JWT last?

Access tokens should be short-lived — typically 5 to 15 minutes. Use refresh tokens (stored server-side and rotated on each use) for longer session continuity without compromising security.

What is the difference between HS256 and RS256?

HS256 uses symmetric signing — the same secret key signs and verifies. RS256 uses asymmetric signing — a private key signs, a separate public key verifies. RS256 is better for distributed systems where multiple services verify tokens.

JWT Authentication: Tokens & Claims

🔑

Try JWT Decoder

Free, no signup →