Script Valley
JWT & Session Auth: Deep Dive
JWT Deep DiveLesson 2.1

JWT structure explained: header, payload, signature decoded

JWT three-part structure, base64url encoding, header alg and typ fields, payload claims, registered claims, signature generation, dot separator

JWT Structure: Header, Payload, Signature

JWT Structure Diagram

A JWT is three base64url-encoded JSON objects joined by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDAzNjAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Part 1 โ€” Header: Describes the token type and signing algorithm.

{ "alg": "HS256", "typ": "JWT" }

Part 2 โ€” Payload: Contains claims. Registered claims have standard names:

  • sub: Subject (user ID)
  • iat: Issued at (Unix timestamp)
  • exp: Expiry (Unix timestamp)
  • iss: Issuer

You can add custom claims like role or email. Keep the payload small โ€” it travels on every request.

Part 3 โ€” Signature: Computed as:

HMACSHA256(
  base64url(header) + '.' + base64url(payload),
  secret
)

The signature proves the token was issued by someone with the secret and that neither the header nor payload was tampered with after signing. Changing a single character in the payload invalidates the signature.

Important: the payload is encoded, not encrypted. Anyone can base64url-decode it and read the claims. Never put passwords, PII, or sensitive data in a JWT payload unless you are using JWE (encrypted JWTs).

Up next

signing and verifying JWTs with jsonwebtoken in Node.js

Sign in to track progress

JWT structure explained: header, payload, signature decoded โ€” JWT Deep Dive โ€” JWT & Session Auth: Deep Dive โ€” Script Valley โ€” Script Valley