JWT Deep DiveLesson 2.1

JWT structure explained: header, payload, signature decoded

JWT three-part structure, base64url encoding, header alg and typ fields, payload claims, registered claims, signature generation, dot separator

JWT Structure: Header, Payload, Signature

A JWT is three base64url-encoded JSON objects joined by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDAzNjAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Part 1 — Header: Describes the token type and signing algorithm.

{ "alg": "HS256", "typ": "JWT" }

Part 2 — Payload: Contains claims. Registered claims have standard names:

sub: Subject (user ID)
iat: Issued at (Unix timestamp)
exp: Expiry (Unix timestamp)
iss: Issuer

You can add custom claims like role or email. Keep the payload small — it travels on every request.

Part 3 — Signature: Computed as:

HMACSHA256(
  base64url(header) + '.' + base64url(payload),
  secret
)

The signature proves the token was issued by someone with the secret and that neither the header nor payload was tampered with after signing. Changing a single character in the payload invalidates the signature.

Important: the payload is encoded, not encrypted. Anyone can base64url-decode it and read the claims. Never put passwords, PII, or sensitive data in a JWT payload unless you are using JWE (encrypted JWTs).