The latest articles on DEV Community by Kevin (@icryinbed). https://dev.to/icryinbed https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3655609%2Fd922664c-e9e7-4024-b732-cd01430bcc3e.jpg https://dev.to/icryinbed en Kevin Wed, 03 Jun 2026 01:03:58 +0000 https://dev.to/icryinbed/jwt-the-theory-before-the-code-1p4o https://dev.to/icryinbed/jwt-the-theory-before-the-code-1p4o <h2> What is a JWT? </h2> <p>JWT stands for JSON Web Token. It's a way to pass information between two parties in a compact, self-contained format. The key idea is that the token itself carries the data the server doesn't need to store anything to validate it.</p> <h2> The three parts </h2> <p>A JWT looks like this:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjzuehev4vi4t561r0gyg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjzuehev4vi4t561r0gyg.png" alt=" " width="799" height="280"></a></p> <p>Three base64 encoded strings joined by dots.</p> <p><strong>Header</strong> contains the token type and the signing algorithm (usually HS256 or RS256).</p> <p><strong>Payload</strong> is the actual data, called "claims". Things like user id, role, expiration time.</p> <p><strong>Signature</strong> is created by combining the header, payload, and a secret key. This is what makes the token trustworthy.</p> <h2> How trust works </h2> <p>When your server receives a JWT, it doesn't look up the user in a database to verify the request. Instead, it recalculates the signature using the secret key and checks if it matches the one in the token.</p> <p>If someone tampers with the payload, the signature won't match. That's the whole point.</p> <h2> Claims </h2> <p>The payload is made of claims, statements about the user or the session. There are registered ones like <code>sub</code> (subject, usually the user id), <code>exp</code> (expiration timestamp), and <code>iat</code> (issued at). You can also add your own custom claims like <code>role</code> or <code>plan</code>.</p> <h2> What JWT is not </h2> <p>JWT is not encryption. The payload is encoded, not encrypted. Anyone can decode it and read the contents. Never put sensitive data like passwords in a JWT.</p> <p>What it does guarantee is integrity: you can trust that the data hasn't been modified since it was signed.</p>