NowTo Tools
Back to Blog
১/৩/২০২৬·7 min read

JWT Tokens Explained for Beginners (With Examples)

JWT (JSON Web Token) is one of the most important concepts in modern web development. If you work with APIs, authentication, or any web application, you will encounter JWTs. This guide explains everything you need to know in plain language.

What Is a JWT?

A JWT is a compact, URL-safe token that represents claims (pieces of information) between two parties. It looks like a long string of characters separated by two dots: xxxxx.yyyyy.zzzzz. Each section has a specific purpose.

The Three Parts of a JWT

Header: Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256). It is Base64-encoded JSON. Payload: Contains the claims — the actual data like user ID, email, role, and expiration time. Also Base64-encoded JSON. Signature: A cryptographic hash of the header and payload, signed with a secret key. This ensures the token has not been tampered with.

How JWT Authentication Works

The typical flow is: 1. User logs in with username and password. 2. Server verifies credentials and creates a JWT containing user info and an expiration time. 3. Server sends the JWT to the client. 4. Client stores the JWT (usually in localStorage or a cookie). 5. Client sends the JWT with every API request in the Authorization header. 6. Server verifies the JWT signature and extracts user info without hitting the database.

Why Use JWTs?

JWTs are stateless — the server does not need to store session data. This makes scaling much easier since any server can verify the token independently. JWTs are self-contained — all necessary information is in the token itself. They work across different domains and services, making them ideal for microservices architectures.

Common JWT Claims

Standard claims include: "sub" (subject — usually user ID), "exp" (expiration timestamp), "iat" (issued at), "iss" (issuer), "aud" (audience). Custom claims can include anything: role, permissions, organization, or any application-specific data.

JWT Security Best Practices

Always verify the signature on the server side. Set reasonable expiration times (15-60 minutes for access tokens). Never store sensitive data in the payload — it is only Base64-encoded, not encrypted. Use HTTPS to prevent token interception. Implement token refresh mechanisms for long sessions.

Decode a JWT Right Now

Want to inspect a JWT token? Use NowTo Tools' JWT Decoder to instantly decode and inspect any JWT. The tool runs entirely in your browser, so your tokens stay private. You can see the header, payload, and verify the structure.

Understanding JWTs is essential for any web developer. Bookmark the JWT Decoder for quick token inspection during development.

Try these tools for free — no download, no signup required

Explore All Tools