Lesson 1

What Is a JWT?

Understand the compact JWT format and where developers encounter it.

A JSON Web Token, usually shortened to JWT, is a compact string used to carry JSON claims between systems. You often see JWTs in API requests, browser storage, cookies, OAuth flows, and service-to-service authentication.

The three segments

A compact JWT has three dot-separated parts:

header.payload.signature
  • The header describes the token type and signing algorithm.
  • The payload contains claims: facts the token is carrying.
  • The signature lets a verifier detect tampering when it has the right key and validation rules.

The first two segments are Base64URL-encoded JSON. That means they are designed to be easy to transport, not hidden from readers.

JWTs are readable

Anyone with the token string can decode the header and payload. That is why sensitive secrets should not be placed in a JWT payload unless the token is encrypted with a separate mechanism.

JWTs are useful because they are compact

JWTs are popular because they fit naturally in HTTP headers and are easy for distributed systems to verify without a central session lookup. That same convenience creates risk when applications skip verification or trust the wrong claims.

When you want to practice, use the related DevCove tool — optional, not part of this lesson.

Open related tool

Back to course overview