Understanding JWT: Structure, Claims, and How It Works

Table of Contents

• What is a JWT?
• Three-Part Structure
• The Header
• The Payload and Claims
• The Signature
• How Verification Works

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token for securely transmitting information between parties. It's the standard for stateless authentication — your server doesn't need to store sessions because the token itself carries all the info.

Three-Part Structure

A JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U

Three Base64URL-encoded parts separated by dots: header.payload.signature.

The Header

{
  "alg": "HS256",
  "typ": "JWT"
}

• alg: The signing algorithm — HS256 (HMAC-SHA256), RS256 (RSA), ES256 (ECDSA)
• typ: Always JWT

The Payload and Claims

{
  "sub": "user_123",
  "name": "Trong Ngo",
  "roles": ["admin"],
  "iat": 1716239022,
  "exp": 1716325422
}

Registered claims: sub (subject), iss (issuer), aud (audience), iat (issued at), exp (expiration).

The Signature

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

The signature ensures the token hasn't been tampered with. Without the secret, an attacker can't forge a valid token.

How Verification Works

1. Client sends Authorization: Bearer <token>
2. Server decodes header and payload
3. Re-computes the signature using the same secret
4. If signatures match, the token is valid
5. Server checks exp to ensure it hasn't expired

Use the JWT Decoder to inspect any token instantly.