What is the structure of a JWT?

A compact JWT has three Base64url-encoded segments separated by dots: header.payload.signature. The header describes the algorithm and type; the payload holds claims (JSON); the signature (or MAC) proves integrity to anyone with the verification key or secret.

How is a JWT different from a server session?

Sessions store state on the server and send an opaque cookie reference. JWTs embed claims in the token itself. That enables horizontal scaling without shared session storage but pushes revocation, size, and trust boundaries into application design.

What does token expiry (exp) mean?

exp is a NumericDate claim: after that instant, validators should reject the token. Clock skew between issuers and verifiers requires a small tolerance. Short-lived access tokens plus refresh flows reduce exposure when a token leaks.

What are common JWT security risks?

Weak or missing verification, trusting claims without signature check, algorithm confusion (RS256 vs HS256), huge tokens, and putting sensitive PII in the payload (it is only Base64url, not encrypted). Always verify alg against an allowlist and use libraries correctly.

What is the alg:none attack?

Attackers set header alg to none and strip the signature; vulnerable servers accept unsigned tokens. Modern libraries reject none for verification, but custom parsers have reintroduced this bug. Never branch verification logic on unauthenticated header content.

JWT Parser & Token Debugger Online

JWTs carry signed (or MAC’d) JSON claims in a compact wire format. WMCoder decodes header and payload so you can debug tokens—verification still belongs in your backend.

Try it now: Open the free JWT Parser & Token Debugger Online tool — no sign-up required.

JWT structure in practice

The header typically includes typ: "JWT" and alg such as HS256 or RS256. Some setups add kid to pick a verification key from a JWKS endpoint. The payload is a JSON object: registered claims (iss, sub, aud, exp, nbf, iat, jti) plus private namespaced claims. The signature covers base64url(header) + '.' + base64url(payload) using the declared algorithm. Parsing splits on . and Base64url-decodes the first two parts—conceptually similar to Base64 Encoder but with URL-safe alphabet and different padding rules.

Libraries differ in whether they decode the payload as UTF-8 JSON only or accept unexpected binary; stick to UTF-8 JSON for interoperability. JWE (encrypted JWT) wraps a ciphertext payload and is not the same as a signed-only JWT; do not assume confidentiality from a standard three-part JWS.

Claims you should understand

exp and nbf gate validity windows; iat helps detect replay in narrow scenarios. aud restricts which APIs may accept the token; skipping audience checks is a common multi-tenant footgun. iss ties the token to an issuer URL you trust. Custom roles or permissions belong in namespaced keys to avoid collisions. None of this is secret: anyone with the token can read the payload, so treat JWTs like bearer credentials, not encrypted storage.

When debugging, compare clock drift between services: an exp that looks valid in one timezone may already be past UTC. Use short access token lifetimes (minutes) and rotate refresh tokens with binding to the client where possible.

Security pitfalls beyond alg:none

Algorithm confusion tricks a server into using a public key as an HMAC secret. Mitigate with explicit allowed algorithms and library APIs that separate symmetric and asymmetric verification. Key rotation requires handling kid and overlapping JWKS keys. Size matters: cookies and headers have limits; huge claim sets hurt latency. For confidentiality of claims, use encrypted JWTs (JWE) or transport encryption—not a plain JWT.

kid injection and untrusted JWKS URLs are another class of bug: fetch keys only from configured issuers, pin TLS, and cache with sane TTLs. Never verify using a header field that an attacker controls without authenticating the header through the signature first—which is impossible for alg:none, hence the hard ban in mature stacks.

How parsing fits your toolchain

Use WMCoder to decode and read claims during integration work. When your protocol hashes canonical JSON for signatures, align pretty-printing and key order with JSON Formatter test vectors. Hash Generator is relevant when you hash detached content referenced by a JWT claim—not the JWT string itself.

Production code must verify signatures or MACs with the issuer’s key material, enforce exp/nbf/aud, and reject tokens that fail any check—parsing alone proves nothing about trustworthiness. Log claim summaries (sub, aud, jti) rather than full tokens in production observability pipelines.

Frequently Asked Questions

What is the structure of a JWT?: A compact JWT has three Base64url-encoded segments separated by dots: header.payload.signature. The header describes the algorithm and type; the payload holds claims (JSON); the signature (or MAC) proves integrity to anyone with the verification key or secret.
How is a JWT different from a server session?: Sessions store state on the server and send an opaque cookie reference. JWTs embed claims in the token itself. That enables horizontal scaling without shared session storage but pushes revocation, size, and trust boundaries into application design.
What does token expiry (exp) mean?: exp is a NumericDate claim: after that instant, validators should reject the token. Clock skew between issuers and verifiers requires a small tolerance. Short-lived access tokens plus refresh flows reduce exposure when a token leaks.
What are common JWT security risks?: Weak or missing verification, trusting claims without signature check, algorithm confusion (RS256 vs HS256), huge tokens, and putting sensitive PII in the payload (it is only Base64url, not encrypted). Always verify alg against an allowlist and use libraries correctly.
What is the alg:none attack?: Attackers set header alg to none and strip the signature; vulnerable servers accept unsigned tokens. Modern libraries reject none for verification, but custom parsers have reintroduced this bug. Never branch verification logic on unauthenticated header content.

Ready to try it yourself?

Use JWT Parser & Token Debugger Online for Free