Understanding JWT Structure: Header, Payload, and Signature
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It’s widely used in modern authentication systems like OAuth 2.0 and OpenID Connect. But to use JWTs effectively, you must understand their three core components: Header, Payload, and Signature.
The Header: Metadata About the Token
The header typically contains two fields:
alg– The signing algorithm (e.g.,HS256,RS256)typ– The token type, usually"JWT"
Example Header
{ "alg": "HS256", "typ": "JWT" }The Payload: The Claims (Data)
The payload holds the actual claims — statements about the user and additional data. There are three types:
- Registered:
iss,sub,aud,exp,nbf,iat,jti - Public: Defined by application (e.g.,
role,permissions) - Private: Custom bilateral claims
The Signature: Tamper Protection
The signature is created by hashing the encoded header and payload with a secret (HMAC) or private key (RSA/ECDSA). It ensures the token hasn’t been altered.
Important: The viewer does not verify signatures. That requires the key and is outside the scope of safe client-side inspection.
Master JWT structure — master modern auth.