What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe string format for claims between parties. A signed JWT has three Base64URL-encoded parts separated by dots: header (algorithm metadata), payload (claims such as user ID or expiry), and signature (cryptographic proof). JWTs are commonly used for stateless API authentication.
JWT structure
The header typically contains `alg` (signing algorithm) and `typ` (JWT). The payload holds claims — registered (iss, exp), public, or private. The signature verifies integrity when you have the secret or public key; decoding without verification only reveals encoded content.
Security note
Never trust a JWT payload without verifying the signature on the server. Client-side decoding is for debugging only — attackers can forge unsigned payloads. Production APIs must validate `exp` (expiry), `iss` (issuer), and signature with the correct secret or JWKS public keys.
Debugging with browser tools
Use a JWT decoder to inspect tokens during development. Paste the access token from your login flow, verify claim values, and confirm expiration before blaming API authorization logic.