JWT structure explained: header, payload, signature
What each part of a JSON Web Token contains, how the parts are encoded, and which claims are standard.
Three dot-separated parts
A JWT is three base64url strings joined by dots in the form header.payload.signature. The header and payload are JSON objects, while the signature is raw bytes used to detect tampering.
The header
The header is a small JSON object that names the signing algorithm in the alg field (for example HS256 or RS256) and the token type in the typ field, which is usually JWT.
Registered payload claims
The payload holds claims about the user and the token. Common registered claims include sub (subject), iss (issuer), aud (audience), iat (issued at), exp (expiry) and nbf (not before). Time claims are seconds since the Unix epoch.
The signature is not the payload
The signature is computed from the header and payload using a secret or private key. Decoding never proves the signature is valid, so verification requires the matching key and a JWT library.