JWT Decoder

A JSON Web Token consists of three parts separated by dots (xxxxx.yyyyy.zzzzz). The first part is the header, which typically contains the signing algorithm (like HS256 or RS256) and the token type (JWT). The second part is the payload, which contains claims — statements about the user and additional metadata. The third part is the signature, computed by signing the encoded header and payload with a secret key.

Each part is Base64URL-encoded, which is a URL-safe variant of standard Base64 encoding. This makes JWTs compact enough to be sent in HTTP headers, URL parameters, or POST body data.

In a typical JWT authentication flow, the user logs in with credentials (username and password). The server validates the credentials, creates a JWT containing user information and permissions, signs it with a secret key, and returns it to the client. The client stores the token (usually in memory or an HTTP-only cookie) and includes it in the Authorization header of subsequent requests.

The server verifies the token's signature on each request to ensure it hasn't been tampered with, then extracts the user information from the payload. This stateless approach means the server doesn't need to store session data, making JWT authentication highly scalable.

Never store sensitive data in JWT payloads — they are encoded, not encrypted, and can be decoded by anyone. Always use HTTPS to prevent token interception. Set short expiration times and use refresh tokens to issue new access tokens.

Store tokens in HTTP-only, secure cookies rather than localStorage to prevent XSS attacks. Validate all claims on the server side, including expiration (exp), issuer (iss), and audience (aud). Use strong signing algorithms — RS256 (asymmetric) is preferred over HS256 (symmetric) for distributed systems where multiple services need to verify tokens.

Session-based authentication stores user state on the server (in memory, a database, or Redis). The client receives a session ID cookie and sends it with each request. The server looks up the session to identify the user. This approach is simple but requires shared session storage in distributed systems.

JWT authentication is stateless — the token itself contains all necessary information. This makes it easier to scale horizontally since any server can verify the token independently. However, JWTs cannot be easily revoked (you'd need a blocklist), and token size grows with payload data. The choice depends on your architecture: sessions for simpler apps, JWTs for microservices and APIs.