No. A standard JWT is signed, not encrypted. The header and payload are only Base64URL-encoded, so anyone can read them. Never put secrets in a JWT payload.

Claims are the pieces of data inside the payload, such as iss (issuer), sub (subject), exp (expiry), and iat (issued-at), plus any custom fields your app adds.

What Is a JWT? Structure, Claims & How to Decode One Safely

Q: How do I verify a JWT?

On the server, recompute the signature using your secret or public key and confirm it matches, then check the expiry and issuer. Never trust an unverified token.

JSON Web Tokens (JWTs) are everywhere in modern auth — APIs, single sign-on, session handling. They look like a random string, but the format is simple and worth understanding, because misusing JWTs is a common source of security bugs.

Key takeaways

A JWT has three Base64URL parts: header.payload.signature.
It is signed, not encrypted — anyone can read the payload.
Claims like exp and iss carry the token's metadata.
Always verify the signature and expiry on the server.

The three parts

A JWT is three Base64URL strings joined by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9   ← header
.eyJzdWIiOiIxMjMiLCJleHAiOjE3...        ← payload
.SflKxwRJSMeKKF2QT4fwpMeJf36...         ← signature

Header — the token type and signing algorithm, e.g. {"alg":"HS256","typ":"JWT"}.
Payload — the claims (your data).
Signature — proves the token wasn't tampered with.

Common claims

Claim	Meaning
`iss`	Issuer — who created the token
`sub`	Subject — usually the user ID
`exp`	Expiry time (Unix timestamp)
`iat`	Issued-at time
`aud`	Audience — who the token is for

Decode a token to see inside

Paste a JWT to read its header and claims instantly — all in your browser, nothing sent anywhere.

Open the JWT Decoder →

The signature: why it matters

The signature is computed from the header, payload, and a secret (HS256) or private key (RS256). If even one character of the payload changes, the signature no longer matches. That's how a server detects tampering — but only if it actually verifies the signature. Decoding is not verifying.

Security rules every developer should follow

Never store secrets in the payload — it's readable by anyone.
Always verify the signature server-side before trusting any claim.
Reject the none algorithm and pin the expected alg.
Keep expiry short and use refresh tokens for long sessions.
Send over HTTPS and store carefully (avoid loose localStorage for sensitive apps).

Frequently asked questions

Is a JWT encrypted?

No — it's signed. Header and payload are only Base64URL-encoded and readable by anyone. Don't put secrets in them.

What are JWT claims?

The data in the payload: standard ones like iss, sub, exp, iat, plus custom fields.

How do I verify a JWT?

Recompute the signature with your secret/public key and confirm it matches, then check expiry and issuer. Never trust an unverified token.

Related tools

See our Disclaimer for how to use WorkIQ content and tools.