JWT Structure

A JSON Web Token (RFC 7519) is three base64url-encoded segments separated by dots. Each segment serves a specific purpose.

The three segments

header.payload.signature

# Header (decoded):
{"alg":"HS256","typ":"JWT","kid":"signing-key-2026-05"}

# Payload (decoded):
{
  "iss": "https://issuer.example",
  "sub": "user_42",
  "aud": "api.example",
  "exp": 1700003600,
  "iat": 1700000000,
  "scope": "read:profile write:profile"
}

# Signature:
# HMAC-SHA256(secret, base64url(header) + "." + base64url(payload))
# or RSA / ECDSA signature for asymmetric algorithms

Standard claims

ClaimNameUse
issIssuerWho issued the token.
subSubjectThe principal the token is about.
audAudienceIntended recipients.
expExpires atUnix time after which to reject.
nbfNot beforeUnix time before which to reject.
iatIssued atUnix time of issue.
jtiJWT IDUnique ID — useful for revocation.

Algorithms you'll see

!

Algorithm-confusion attack. If a server is configured to accept multiple algorithms with the same key material, an attacker can swap RS256 (which expects a public key) for HS256 (which uses a secret) — and craft tokens signed with the public key as if it were the HMAC secret. Always whitelist a specific algorithm in your verifier.

Things to do

Related tools

JWT Decoder // tools HMAC Generator // tools SHA Hash Generator // tools Base64 Encoder // tools

Related references

OAuth 2.0 Flows // security Authentication Methods // security Hash Functions // security

External authority sources