DEV Community: Sven Schuchardt

JWT Explained: What's Actually Inside a JSON Web Token

Sven Schuchardt — Fri, 10 Apr 2026 17:09:14 +0000

You're integrating an API and you get back a token that starts with eyJ. You paste it somewhere and suddenly you can read your user's email address, their user ID, and an expiry timestamp. No decryption key needed. How? And if anyone can read it, is that secure?

JWTs look encrypted but aren't. That tension — readable but trustworthy — is the whole point. Understanding it takes about five minutes, and it changes how you think about auth tokens for good.

What is a JWT?

A JSON Web Token is three base64url-encoded strings joined by dots:

header.payload.signature

Take a real minimal example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSIsImV4cCI6MTcxMjcwMDAwMH0.signature

Each part can be decoded in a browser console right now — no keys, no secrets, no libraries:

// Manually decode the payload (works in any browser console)
const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSIsImV4cCI6MTcxMjcwMDAwMH0.signature";
const payload = JSON.parse(atob(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')));
console.log(payload);
// { sub: "user_123", email: "user@example.com", exp: 1712700000 }

Part 1 — Header: Contains alg (the signing algorithm, e.g. HS256 or RS256) and typ (always "JWT"). Decoded, it looks like { "alg": "HS256", "typ": "JWT" }.

Part 2 — Payload: The claims — data statements about the user or token. These are just JSON key-value pairs. Standard claim names are short by convention (sub, exp, iat) but the values can be anything. Custom claims like role or org_id are perfectly valid.

Part 3 — Signature: An HMAC or RSA hash of base64url(header) + "." + base64url(payload), computed using a secret known only to the issuer. This is the part that makes the token trustworthy — not readability, but tamper-evidence.

The key insight: JWTs are signed, not encrypted. The payload is readable by anyone who has the token. Only the issuer can produce a valid signature.

Standard Claims

The JWT spec defines a set of registered claim names. You don't have to use them, but you should — they're understood by every JWT library.

Claim	Name	Meaning
`sub`	Subject	User identifier (user ID, email, etc.)
`iss`	Issuer	Who created the token (your auth server)
`aud`	Audience	Who the token is intended for
`exp`	Expiration	Unix timestamp when token expires
`iat`	Issued at	Unix timestamp when token was created
`nbf`	Not before	Token not valid before this timestamp
`jti`	JWT ID	Unique token identifier (for revocation)

exp and iat are Unix timestamps — seconds since January 1 1970. An exp of 1712700000 means the token expires at a specific calendar date and time. Paste any JWT into our JWT decoder tool to see the header, payload, and claims broken out — without sending the token to any server.

Why it Works — and Where it Doesn't

The signature prevents tampering. If you change even one byte of the payload, the signature becomes invalid. The server verifies by re-computing the signature with its own secret and comparing. If they match, the payload hasn't been touched since the issuer signed it.

But the payload is public. Everyone who holds the token can read it. That means:

Never put passwords, credit card numbers, or API secrets in a JWT payload.
Never put anything you wouldn't put in a cookie you're okay with users reading.
Session tokens and user IDs are fine. Sensitive personal data should stay server-side.

A common mistake in early JWT implementations: accepting a token as proof of identity without verifying the signature. A token that decodes to { "sub": "admin" } proves nothing on its own — the signature is what proves it came from your auth server. Always verify server-side before trusting any claim.

Unix Timestamps Explained: What Every Developer Should Know

Sven Schuchardt — Thu, 09 Apr 2026 19:30:59 +0000

You're tailing a log file and you see this:

[1712700000] ERROR: connection timeout

What is 1712700000? Is it a bug? A timestamp? A version number? If you've ever stared at a number like that and felt unsure, this article is for you.

By the end you'll know exactly what Unix timestamps are, why every serious API uses them, and how to convert them instantly without memorising any formula.

What Is a Unix Timestamp?

A Unix timestamp (also called an epoch timestamp) is simply the number of seconds that have elapsed since January 1, 1970, 00:00:00 UTC — a moment arbitrarily chosen as the starting point of computer time, known as the Unix epoch.

That's it. No timezones, no daylight saving adjustments, no locale quirks. Just a single integer that means the same thing on every machine on the planet.

1712700000 translates to April 9, 2024, 20:00:00 UTC.

Why 1970?

The Unix operating system was developed in the early 1970s. The designers needed a fixed reference point that was recent enough to keep numbers small but old enough to cover any historical dates they cared about. January 1, 1970 was a clean, round choice that stuck — and 50+ years later the entire industry still uses it.

Seconds vs Milliseconds — the most common gotcha

Two variants exist and they will burn you if you mix them up:

Format	Example	Used by
Seconds (Unix time)	`1712700000`	Most Unix APIs, databases, server logs
Milliseconds	`1712700000000`	JavaScript's `Date.now()`, Java, many web APIs

A 13-digit number is almost always milliseconds. A 10-digit number is almost always seconds. When in doubt, check the API docs.

The 2038 problem (a quick aside)

32-bit systems store Unix timestamps as a signed integer, which maxes out on January 19, 2038. Most modern systems use 64-bit integers (which won't overflow until the year 292 billion), but if you're working with embedded systems or legacy C code, it's worth knowing.

Converting Epoch to a Human-Readable Date in JavaScript

No library needed. JavaScript's built-in Date handles it in one line:

// If your timestamp is in seconds, multiply by 1000 first
const ts = 1712700000;
const date = new Date(ts * 1000);

console.log(date.toISOString());
// → "2024-04-09T20:00:00.000Z"

console.log(date.toLocaleString('en-US', { timeZone: 'America/New_York' }));
// → "4/9/2024, 4:00:00 PM"

Going the other way — current time as epoch — is even simpler:

const nowInSeconds = Math.floor(Date.now() / 1000);
console.log(nowInSeconds); // → 1712700000 (approximately)

A debug helper worth bookmarking

When you're debugging logs, paste this into your browser console:

const fromEpoch = (ts) => {
  // Handle both seconds and milliseconds automatically
  const ms = ts > 1e12 ? ts : ts * 1000;
  return new Date(ms).toISOString();
};

fromEpoch(1712700000);    // → "2024-04-09T20:00:00.000Z"
fromEpoch(1712700000000); // → "2024-04-09T20:00:00.000Z"

Try It Without Writing Any Code

If you just need a quick conversion — during debugging, code review, or reading API docs — paste any timestamp into our free epoch converter tool. It handles both seconds and milliseconds, supports timezone selection, and works entirely in your browser. No data is ever sent to a server.

Why APIs Use Unix Time (and Not ISO Strings)

You'll notice that Stripe, GitHub, Slack, and virtually every major API returns timestamps as integers, not formatted date strings. There are good reasons:

No timezone ambiguity — 1712700000 is the same moment everywhere; "2024-04-09 20:00:00" is meaningless without a timezone
Easy arithmetic — want to check if something happened in the last 24 hours? now - ts < 86400. Try doing that with ISO strings.
Compact — 10 digits vs 24 characters for ISO 8601
No parsing edge cases — no locale formats, no AM/PM, no separator variations

The tradeoff is readability — which is exactly why tools and debug helpers exist.

Key Takeaways

A Unix timestamp is seconds since January 1, 1970 UTC
10 digits = seconds, 13 digits = milliseconds — multiply by 1000 before passing to new Date()
APIs use Unix time because it's unambiguous, compact, and arithmetically convenient
Convert any timestamp instantly with our epoch converter tool