JWE vs JWT — Side-by-Side for Developers

TL;DR:

JWT = signed, readable payload (integrity).

JWE = encrypted, hidden payload (integrity + confidentiality).

This is a quick, practical breakdown with examples and a comparison table you can skim in under 3 minutes.

JWT (JSON Web Token) in a nutshell

• Structure: header.payload.signature
• Signed to prevent tampering, but not encrypted — anyone with the token can read the payload.
• Great for auth claims, sessions, API access control.

Example (shortened):

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

JWE (JSON Web Encryption) in a nutshell

• Structure: protectedHeader.encryptedKey.iv.ciphertext.tag
• Encrypted — only intended recipients can read the payload.
• Great for transmitting sensitive data (PII, financial info, secrets).

Example (shortened):

eyJhbGciOiJSU...encryptedKey...iv...ciphertext...tag

JWE vs JWT — Quick Comparison

When to use which

• Choose JWT when you only need integrity (no tampering) and payload visibility is acceptable.
• Choose JWE when you also need confidentiality — the payload must remain private.

Bonus: structures at a glance

JWT parts:

• Header: alg, kid, typ
• Payload: claims
• Signature: verifies integrity

JWE parts:

• Protected Header: alg, enc, kid
• Encrypted Key: content-encryption key for recipient
• IV: initialization vector
• Ciphertext: encrypted payload
• Tag: authentication tag

Tools for working with tokens

Need to generate keys or convert PEM → JWK for testing JWT/JWE?

Try this JWK Generator

Read the full guide

For deeper explanations, examples, and best practices, read the original post on Authgear:

https://www.authgear.com/post/jwe-vs-jwt