---
title: "What is a JWT?"  
description: "What is a JWT?"  
author: "Ravi Vishwakarma"  
published: 2025-06-08  
updated: 2025-06-11  
canonical: https://www.mindstick.com/interview/34219/what-is-a-jwt  
category: "c#"  
tags: ["c#", "web development"]  
reading_time: 6 minutes  

---

# What is a JWT?

A [**JWT (JSON Web Token)**](https://www.mindstick.com/interview/34211/how-does-token-based-authentication-work) is a **compact, URL-safe token format** used to securely **transmit information between parties as a JSON object**. It is widely used in authentication and authorization in modern web APIs.

## Structure of a JWT

A JWT has **three parts**, separated by dots (`.`):

```plaintext
<Header>.<Payload>.<Signature>
```

Example:

```plaintext
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiIxMjM0IiwibmFtZSI6IkFubmEiLCJpYXQiOjE1MTYyMzkwMjJ9
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
```

## 1. Header

Specifies the type of token and the signing algorithm.

```plaintext
{
  "alg": "HS256",
  "typ": "JWT"
}
```

## 2. Payload (Claims)

Contains the actual **data (claims)** like user ID, name, expiration time, etc.

Example:

```plaintext
{
  "sub": "1234567890",
  "name": "Anna",
  "role": "Admin",
  "iat": 1516239022,
  "exp": 1516242622
}
```

Common standard claims:

- `iss` – Issuer
- `sub` – Subject (user ID)
- `aud` – Audience
- `exp` – Expiration time
- `iat` – Issued at

> The payload is **not encrypted** — it's just **Base64 encoded**, so never put sensitive data in it.

## 3. Signature

Used to verify the token wasn't tampered with. It's created like this:

```plaintext
HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)
```

The server can **verify** the JWT using the secret (or a public key, if using RSA).

## Why Use JWTs?

| Benefit | Description |
| --- | --- |
| Stateless | No server-side session needed |
| Compact | Easily stored in headers, cookies, or localStorage |
| Self-contained | Contains all needed user claims |
| Cross-domain support | Easy for SPAs, mobile apps, and APIs |
| Verifiable | Tamper-proof due to signature |

## Common Use Cases

- **Authentication**

   - After login, the server issues a JWT.
   - Client includes it in headers on each request:

```plaintext
Authorization: Bearer <token>
```

- **Authorization**

   - APIs decode the JWT and check roles/permissions in the payload.

- **Information exchange**

   - Securely pass info between systems with assurance it's not altered.

## JWT Best Practices

- Use HTTPS to protect tokens in transit.
- Set short expiry (`exp`) times.
- Use **strong secrets or keys**.
- Don't store sensitive info (like passwords).
- Use refresh tokens to renew expired tokens.
- Revoke JWTs via blacklisting (since they are stateless).

## Answers

### Answer by Anubhav Sharma

A **JWT (JSON Web Token)** is a **compact, URL-safe token format** used to securely transmit information between parties as a **JSON object**. It's commonly used for [**authentication and authorization**](https://www.mindstick.com/interview/34211/how-does-token-based-authentication-work) in web applications and APIs.

### Structure of a JWT

A JWT has **three parts**, separated by dots (`.`):

```plaintext
xxxxx.yyyyy.zzzzz
|     |     |
|     |     └── Signature (for integrity)
|     └── Payload (the claims)
└── Header (metadata)
```

### 1. Header

Typically contains:

```plaintext
{
  "alg": "HS256",  // Algorithm used to sign the token
  "typ": "JWT"
}
```

### 2. Payload (Claims)

Contains **data or claims** about the user or subject:

```plaintext
{
  "sub": "1234567890",        // Subject (e.g., user ID)
  "name": "Anna Hajare",
  "iat": 1717938123,          // Issued at (UNIX timestamp)
  "exp": 1717941723           // Expiration time (optional)
}
```

> You can include custom claims too, but avoid putting sensitive data here—**it's not encrypted** by default.

### 3. Signature

Used to verify that the token was **not tampered with**. Created like:

```plaintext
HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)
```

Or with a private key if using **asymmetric encryption (RS256, etc.)**.

### Common Uses of JWT

- **Authentication**: After login, the server generates a JWT and sends it to the client. The client stores and sends it with every request.
- **Authorization**: The server reads the JWT to determine what the user is allowed to do.
- **Stateless APIs**: No session storage required—everything is in the token.

### Important Notes

- JWTs are **signed, not encrypted** (unless using JWE). Anyone can read the payload if they have the token.
- Never put passwords or private info in a JWT unless encrypted.
- Use **short expiration times** and **refresh tokens** for better security.

## Read Also

- [How to decode JWT Token Visual Studio 2022?](https://www.mindstick.com/forum/160469/how-to-decode-jwt-token-visual-studio-2022)
- [How does token-based authentication work?](https://www.mindstick.com/interview/34211/how-does-token-based-authentication-work)
- [Pros and Cons of API Key Authentication vs. OAuth and JWT](https://www.mindstick.com/blog/303018/pros-and-cons-of-api-key-authentication-vs-oauth-and-jwt)\

### Answer by Ravi Vishwakarma

A [**JWT (JSON Web Token)**](https://www.mindstick.com/interview/34211/how-does-token-based-authentication-work) is a **compact, URL-safe token format** used to securely **transmit information between parties as a JSON object**. It is widely used in authentication and authorization in modern web APIs.

## Structure of a JWT

A JWT has **three parts**, separated by dots (`.`):

```plaintext
<Header>.<Payload>.<Signature>
```

Example:

```plaintext
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiIxMjM0IiwibmFtZSI6IkFubmEiLCJpYXQiOjE1MTYyMzkwMjJ9
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
```

## 1. Header

Specifies the type of token and the signing algorithm.

```plaintext
{
  "alg": "HS256",
  "typ": "JWT"
}
```

## 2. Payload (Claims)

Contains the actual **data (claims)** like user ID, name, expiration time, etc.

Example:

```plaintext
{
  "sub": "1234567890",
  "name": "Anna",
  "role": "Admin",
  "iat": 1516239022,
  "exp": 1516242622
}
```

Common standard claims:

- `iss` – Issuer
- `sub` – Subject (user ID)
- `aud` – Audience
- `exp` – Expiration time
- `iat` – Issued at

> The payload is **not encrypted** — it's just **Base64 encoded**, so never put sensitive data in it.

## 3. Signature

Used to verify the token wasn't tampered with. It's created like this:

```plaintext
HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)
```

The server can **verify** the JWT using the secret (or a public key, if using RSA).

## Why Use JWTs?

| Benefit | Description |
| --- | --- |
| Stateless | No server-side session needed |
| Compact | Easily stored in headers, cookies, or localStorage |
| Self-contained | Contains all needed user claims |
| Cross-domain support | Easy for SPAs, mobile apps, and APIs |
| Verifiable | Tamper-proof due to signature |

## Common Use Cases

- **Authentication**

   - After login, the server issues a JWT.
   - Client includes it in headers on each request:

```plaintext
Authorization: Bearer <token>
```

- **Authorization**

   - APIs decode the JWT and check roles/permissions in the payload.

- **Information exchange**

   - Securely pass info between systems with assurance it's not altered.

## JWT Best Practices

- Use HTTPS to protect tokens in transit.
- Set short expiry (`exp`) times.
- Use **strong secrets or keys**.
- Don't store sensitive info (like passwords).
- Use refresh tokens to renew expired tokens.
- Revoke JWTs via blacklisting (since they are stateless).


---

Original Source: https://www.mindstick.com/interview/34219/what-is-a-jwt

Copyright © MindStick Software Pvt. Ltd. This Markdown version is provided for developers, AI systems, and offline reading.
