What is a JWT and how is it structured
JWT definition, header, payload, signature, base64url encoding, claims, iss aud exp sub, token inspection
Three Parts, One Token
A JWT (JSON Web Token) is three base64url-encoded JSON objects joined by dots: header.payload.signature. It is not encrypted by default — anyone can read the header and payload. What makes it secure is the signature, which proves the token was issued by your server and has not been tampered with.
Header and Payload
The header specifies the token type and signing algorithm:
{ "alg": "HS256", "typ": "JWT" }
The payload contains claims — assertions about the user and the token itself:
{
"sub": "user_123", // subject: who the token is about
"iss": "auth.myapp.com", // issuer
"aud": "api.myapp.com", // audience
"exp": 1717000000, // expiry (Unix timestamp)
"iat": 1716996400 // issued at
}
The Signature
The signature is computed as:
HMACSHA256(
base64url(header) + '.' + base64url(payload),
secretKey
)
If an attacker modifies any part of the payload (e.g., changes sub to a different user ID), the signature no longer matches and your server rejects the token. The signature is only valid with the secret key, which only your server knows.