2026-07-01
The Complete JWT Guide
A practical pillar guide to JSON Web Tokens — structure, claims, algorithms, verification, and how to use Cyberway tools safely.
JSON Web Tokens are everywhere in modern APIs. This guide explains how JWTs work, what can go wrong, and how to use the Cyberway JWT Decoder and JWT Generator while you learn.
Anatomy of a JWT
A JWT has three Base64URL parts: header, payload, and signature. The header usually declares alg and typ. The payload carries claims. The signature binds both parts to a key so recipients can detect tampering.
Paste any sample token into the decoder to see each part rendered as JSON.
Registered claims you should know
Common registered claims include iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (token id). Hover tooltips in Cyberway explain these inline while you inspect a token.
Algorithms
HMAC algorithms (HS256 and friends) use a shared secret. Asymmetric algorithms (RS256, ES256) use a private key to sign and a public key to verify. Never accept alg: none in production verifiers.
Verification vs decoding
Decoding only reveals claims. Verification proves the signature matches your key material. Always verify on the server that protects your APIs. The optional verify panel in Cyberway is for learning and debugging — not a replacement for server-side checks.
Keep learning
Try the Cyberway JWT Decoder or JWT Generator — both run entirely in your browser.