A JSON Web Token, or JWT, is a compact way to carry a set of claims about a subject between two parties in a form that can be verified. It is the token format that powers much of modern web authentication and authorization: a successful login often returns a JWT, which the client then presents on later requests to prove who it is. The format is defined in RFC 7519, “JSON Web Token (JWT),” published by the IETF in May 2015 and authored by Michael Jones, John Bradley, and Nat Sakimura.
The specification defines a JWT as “a compact, URL-safe means of representing claims to be transferred between two parties.” The claims themselves are encoded as a JSON object, which is used either as the payload of a signed structure (a JSON Web Signature) or as the plaintext of an encrypted one (JSON Web Encryption), giving the token integrity protection, confidentiality, or both.
A serialized JWT is recognizable as three Base64url-encoded segments separated by dots: header.payload.signature. The header describes the token type and the cryptographic algorithm used; the payload holds the claims; and the third part is the signature or, in encrypted form, the ciphertext. Because the parts are URL-safe, a JWT can be placed in an HTTP header, a query string, or a form field without further escaping.
RFC 7519 registers a set of standard claim names so that independently built systems can interpret tokens consistently. These “registered claims” include “iss” (issuer), “sub” (subject), “aud” (audience), “exp” (expiration time), “nbf” (not before), “iat” (issued at), and “jti” (a unique token identifier). All are optional, and applications are free to add their own private or public claims alongside them.
JWTs became ubiquitous because they are self-contained and stateless: a server that trusts the signing key can validate a token and read its claims without a database lookup. OpenID Connect represents its ID Token as a JWT, and OAuth 2.0 deployments commonly use JWTs as access tokens, making the format a quiet but central piece of internet identity infrastructure.