JWT Token Examples & Common Claims
Explore common JWT token examples and payload structures. Paste any example into the decoder above to inspect its header, payload, and claims in detail.
JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload, and expiration status.
Standard JWT claims
JWT defines several registered claims: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). These are not required but are widely used conventions. Custom claims can be added for application-specific data like user roles, permissions, and email.
Authentication token example
A typical auth JWT contains: header with algorithm (HS256 or RS256), payload with sub (user ID), email, roles/permissions, iat (issued timestamp), and exp (expiration). The signature ensures the token has not been tampered with. Access tokens typically expire in 15–60 minutes.
Common JWT header algorithms
HS256 (HMAC-SHA256) uses a shared secret — simple but requires the secret on both sides. RS256 (RSA-SHA256) uses public/private key pairs — more secure for distributed systems. ES256 (ECDSA) is similar to RS256 but with smaller keys. Most APIs use RS256 for public key verification.
Frequently Asked Questions
What are the three parts of a JWT?
A JWT has three Base64url-encoded parts separated by dots: the Header (algorithm and type), the Payload (claims/data), and the Signature (verification hash). Example: xxxxx.yyyyy.zzzzz
Should I store sensitive data in JWT?
No. JWT payloads are only Base64-encoded, not encrypted. Anyone can decode and read the payload. Never store passwords, credit card numbers, or other secrets in JWT claims.