What is JWT and How Does it Work?

Apidog for Enterprise

On-Premises Deploy

SSO & RBAC

SOC 2 Compliant

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. These claims are often used to ensure the integrity and authenticity of information.

This article explores how JWTs work. We will look at the structure of a JWT, which consists of three encoded and digitally signed parts. We will then discuss common use cases for JWTs and review some of the benefits of using them,

The Structure of a JWT(With Example)

A JSON Web Token (JWT) consists of three parts separated by dots: Header, Payload, and Signature. The overall structure is:

xxxxxxxxxx.yyyyyyyyyy.zzzzzzzzzz

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
Example Header (base64 encoded): eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Payload:

The payload contains claims. Claims are statements about an entity (typically, the user) and additional data.
There are three types of claims: registered, public, and private claims.
Example Payload (base64 encoded): eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ

Signature:

To create the signature part, you need to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
Example Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Putting it all together:

Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Encoded JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwia

The Benefits of using JWT:

JWTs contain JSON objects that are encoded and signed, ensuring integrity and authenticity without relying on stateful sessions on the server.

Some of the key benefits that make JWTs useful are:

Compact size from URL-safe JSON encoding for space efficiency
Self-contained with all necessary user information to avoid excessive database queries
Digital signatures for tamper-proof security and authenticity verification
Stateless nature to improve scalability by removing server-side sessions
Universal interoperability with JSON parsers available in most languages
Extensible via custom data fields without breaking existing frameworks

JWT vs OAuth: the Difference between JWT and OAuth

JWT (JSON Web Token) and OAuth are related but serve different purposes in the context of authentication and authorization in web development. Here's a brief comparison of JWT and OAuth:

JWT (JSON Web Token):

Purpose: JWT is a compact, self-contained way to transmit information between parties securely. It is commonly used for authentication and information exchange.
Content: JWT contains claims about an entity (typically, a user) and is often used for user authentication. Claims can include user ID, roles, permissions, and other relevant information. JWTs are often used to create stateless authentication systems.
Usage: JWTs are usually sent as part of the request headers in HTTP requests. They are used to represent the identity and privileges of the user.

OAuth (Open Authorization):

Purpose: OAuth is a framework for authorization, allowing a third-party application to access a user's resources on another server without exposing the user's credentials. OAuth is not designed for authentication but for delegation of authority.
Roles: OAuth defines roles such as Resource Owner, Client, Authorization Server, and Resource Server. It enables scenarios where a user can grant access to their resources (e.g., photos, contacts) to another application without sharing their credentials.
Grant Types: OAuth introduces grant types (authorization code, implicit, client credentials, password, etc.) to specify how the authorization process should be carried out.
Tokens: OAuth involves the use of access tokens and refresh tokens. Access tokens are used to access protected resources, and refresh tokens can be used to obtain a new access token.

Key Differences:

Purpose: JWT is primarily used for authentication and information exchange, whereas OAuth is a framework for authorization.
Content: JWT contains claims about a user, while OAuth focuses on defining roles and permissions and managing access to resources.
Roles: JWT is often used to represent the identity of the user, while OAuth involves roles like Resource Owner, Client, Authorization Server, and Resource Server.
Tokens: JWT is a type of token used for authentication, whereas OAuth introduces access tokens and refresh tokens for managing authorization.

How Does JWT Work?

JSON Web Tokens (JWTs) play a key role in authentication by providing a secure and efficient way to verify the identity of users. The process typically involves the following steps:

User Authentication: Users sign in using their username and password or through external providers like Google or Facebook. The authentication server validates the credentials and issues a JSON Web Token (JWT) certifying the user's identity.
JWT Generation: The identity provider (IdP) generates a JWT, signing it with either a secret salt or a private key. This JWT encapsulates essential user information, such as user ID, roles, and expiration time.
JWT Usage: The user's client securely stores the JWT obtained during authentication. When accessing protected resources, the client includes the JWT in the HTTP Authorization header.
Token Verification: The resource server decodes and verifies the authenticity of the JWT using the provided secret salt or public key. This process ensures the integrity and origin of the token.

JWT in Apidog

Apidog is a user-friendly API development and testing tool that excels in managing JSON Web Tokens (JWT). With its intuitive interface, Apidog simplifies the process of handling JWTs, providing automatic support for token generation, dynamic management, and seamless inclusion in API requests.

This tool streamlines the JWT-related aspects of API development, allowing developers to focus on efficient testing and integration within their workflows.

button

In this article

The Structure of a JWT(With Example)Header:Payload:Signature:The Benefits of using JWT:JWT vs OAuth: the Difference between JWT and OAuth JWT (JSON Web Token):OAuth (Open Authorization):Key Differences:How Does JWT Work?JWT in Apidog

Apidog: A Real Design-first API Development Platform

API Design

API Documentation

API Debugging

Automated Testing

API Mocking

More

Get Started for Free

Enterprise

On-Premises or SaaS or EU-hosted

SSO, RBAC & audit logs

SOC 2, GDPR, ISO 27001

Explore Apidog Enterprise

Explore more

What is httpYac?

What is httpYac? A guide to the .http file HTTP client for VS Code and CLI, with a small example, scripting, CI usage, and a GUI alternative.

25 June 2026

What is curlie? The curl + HTTPie hybrid HTTP client explained

What is curlie? A single-binary HTTP client that wraps curl with HTTPie-style syntax and colored output. Learn install, usage, curlie vs curl, and when to upgrade.

25 June 2026

Apidog vs Schemathesis: functional and contract testing vs property-based fuzzing

Apidog vs Schemathesis: functional and contract testing vs property-based fuzzing. What each wins, a comparison table, and how to run both together.

25 June 2026