JWT Structure

A JWT consists of three Base64Url-encoded parts separated by dots (.). These parts are:

JWT Format

header.payload.signature

1. Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

Example Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Common algorithms: HS256, RS256, ES256, none (insecure)

2. Payload

The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims:

Registered Claims

Predefined claims recommended by JWT spec:

iss - Issuer
sub - Subject
aud - Audience
exp - Expiration time
nbf - Not before
iat - Issued at
jti - JWT ID

Public Claims

Defined in the IANA JWT Registry or as a URI

Private Claims

Custom claims agreed upon by parties using JWTs

Example Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

3. Signature

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

Signature Creation (HS256)

HMACSHA256(\n  base64UrlEncode(header) + '.' +\n  base64UrlEncode(payload),\n  secret\n)

The signature ensures data integrity and authenticity

Complete Example

Here's a decoded example token:

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Raw Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

← Back Next: JWT Flows →