Understanding JWT Token Structure
A deep dive into JSON Web Tokens: structure, claims, and security.
JWT (JSON Web Token) is an open standard for securely transmitting information between parties.
JWT Structure
A JWT consists of three parts separated by dots:
xxxxx.yyyyy.zzzzz
Header.Payload.Signature
1. Header
Contains token type and signing algorithm:
{
"alg": "HS256",
"typ": "JWT"
}
2. Payload
Contains the claims (statements about the user):
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}
3. Signature
Verifies the token hasn't been tampered with:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
Standard Claims
- iss: Issuer
- sub: Subject (user ID)
- aud: Audience
- exp: Expiration time
- iat: Issued at
- nbf: Not before
Security Best Practices
1. Use strong secrets: At least 256 bits
2. Set expiration: Always include exp claim
3. Use HTTPS: Never transmit over HTTP
4. Validate all claims: Check iss, aud, exp
5. Don't store sensitive data: Payload is readable
Common Algorithms
- HS256: HMAC with SHA-256 (symmetric)
- RS256: RSA with SHA-256 (asymmetric)
- ES256: ECDSA with SHA-256 (asymmetric)
Use our JWT Decoder to inspect and validate your tokens.