DevToolsForYou

JWT (JSON Web Token) Cheatsheet

A quick reference for JWT structure, standard claims, signing algorithms, and common header fields.

Updated Apr 11, 2026
Try the JWT Encoder & Decoder

Sections

  1. JWT Structure
  2. Registered Claims (RFC 7519)
  3. Signing Algorithms
  4. Standard Header Fields
  5. Validation Checklist

JWT Structure

PartEncodingContains
HeaderBase64urlAlgorithm (alg) and token type (typ)
PayloadBase64urlClaims — registered, public, or private
SignatureBinary → Base64urlHMAC or RSA/ECDSA signature over header.payload

Registered Claims (RFC 7519)

ClaimFull NameDescription
issIssuerWho issued the token — e.g. "auth.example.com"
subSubjectWho the token is about — e.g. a user ID
audAudienceIntended recipient(s) of the token
expExpiration TimeUnix timestamp — reject token after this time
nbfNot BeforeUnix timestamp — reject token before this time
iatIssued AtUnix timestamp when the token was issued
jtiJWT IDUnique identifier — used to prevent replay attacks

Signing Algorithms

AlgorithmTypeUse Case
HS256HMAC-SHA256 (symmetric)Shared secret between issuer and verifier. Simple, fast.
HS384HMAC-SHA384 (symmetric)Stronger HMAC variant.
HS512HMAC-SHA512 (symmetric)Strongest HMAC variant.
RS256RSA-SHA256 (asymmetric)Private key signs, public key verifies. Use when multiple services verify.
ES256ECDSA-SHA256 (asymmetric)Smaller keys than RSA with equivalent security.
noneNo signatureUnsecured JWT — NEVER use in production.

Standard Header Fields

FieldDescription
algSigning algorithm — e.g. "HS256", "RS256"
typToken type — always "JWT" for standard JWTs
kidKey ID — hints which key to use for verification (used with JWKS)
ctyContent type — used when the payload is itself a JWT (nested JWT)

Validation Checklist

CheckWhy
Verify signatureEnsures the token was not tampered with. Skipping this is a critical security bug.
Check expReject expired tokens.
Check nbfReject tokens not yet valid.
Check issEnsure the token was issued by the expected party.
Check audEnsure the token is intended for your service.
Use HTTPS onlyNever transmit JWTs over plain HTTP.
Reject alg: noneThe "none" algorithm disables signature verification — always explicitly allowlist algorithms.
Related guidesAll guides →

How to Parse a JWT

A practical guide to reading and decoding JSON Web Tokens — understand the three-part structure, decode the header and payload, and know what to check before trusting a token.

Read guide →

← All cheatsheets

Try the JWT Encoder & Decoder