What is JWT? — UK Software Development Guide

4 min readJune 2025ClickMasters Technical TeamReviewed by James Whitmore, CTO
what is jwt

Direct Answer

JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object that is digitally signed. JWTs are commonly used as access tokens in OAuth 2.0 and OpenID Connect authentication flows. A JWT consists of three parts: Header (token type and signing algorithm), Payload (claims — the information being transmitted), and Signature (cryptographic verification).

JWT in the UK

JWTs are the standard access token format for UK API authentication. UK government APIs (HMRC MTD uses JWTs, NHS Login issues OIDC tokens which are JWTs) and most UK SaaS platforms use JWTs for authentication. UK GDPR consideration: JWT payloads are only base64-encoded (not encrypted) — never put personal data in a JWT payload unless the token is encrypted (JWE, not JWS). The UK practice is to put only the user ID and role in the JWT payload, storing personal data server-side. JWT expiry: short-lived access tokens (15 minutes) with refresh tokens (7 days) is the recommended pattern.

Get Expert Advice on JWT

Speak with our UK software development experts about JWT. Free consultation, transparent pricing, no obligation.