JWT Tokens Explained: Header, Payload, Signature

JSON Web Tokens, commonly known as JWTs, have become one of the most popular methods for authentication and authorization in modern web applications. They are widely used in APIs, single-page applications, mobile apps and microservice architectures because they provide a compact and portable way to securely transmit information between systems.

Despite their popularity, many developers use JWTs without fully understanding what information they contain or how they actually work. Understanding the three main parts of a JWT - the header, payload and signature - is essential for implementing authentication securely.

What Is a JWT?

JWT stands for JSON Web Token. It is an open standard defined in RFC 7519 that provides a compact format for securely transmitting information between parties as a JSON object.

A JWT is typically used after a user successfully authenticates. Instead of storing session information on the server, the server generates a token and sends it to the client. The client includes this token in future requests to prove its identity.

Because JWTs are self-contained, they can carry information about the user and permissions directly inside the token itself.

What Does a JWT Look Like?

A JWT consists of three sections separated by periods:

xxxxx.yyyyy.zzzzz

Each section is Base64URL-encoded and serves a different purpose.

The three sections are:

JWT Structure Overview

HEADER.PAYLOAD.SIGNATURE

Let's examine each part individually.

Part 1: Header

The header contains metadata about the token. It typically specifies the token type and the signing algorithm used to generate the signature.

A typical JWT header looks like this:

{
  "alg": "HS256",
  "typ": "JWT"
}

The alg field identifies the signing algorithm. Common values include HS256, HS384, HS512, RS256 and ES256.

The typ field usually contains JWT to indicate that the token is a JSON Web Token.

After encoding, this header becomes the first section of the token.

Part 2: Payload

The payload contains the actual information carried by the token. These pieces of information are called claims.

A typical payload might look like this:

{
  "sub": "123456789",
  "name": "John Doe",
  "role": "admin",
  "iat": 1781850000
}

Claims can include user identifiers, usernames, permissions, expiration dates and any other information the application needs.

The payload is encoded but not encrypted. Anyone who obtains the token can decode and read the payload contents.

Important: Payload Data Is Visible

One of the most common JWT misconceptions is that the payload is encrypted. This is false.

JWTs use Base64URL encoding, not encryption. Anyone can decode the token and inspect the payload.

For this reason, sensitive information such as passwords, API secrets, credit card numbers or private personal data should never be stored inside JWT payloads.

Common JWT Claims

Several claims have standardized meanings.

{
  "iss": "issuer",
  "sub": "subject",
  "aud": "audience",
  "exp": 1781900000,
  "nbf": 1781850000,
  "iat": 1781850000,
  "jti": "token-id"
}

The most frequently used claim is exp, which specifies when the token expires.

Using expiration times is critical because it limits how long stolen tokens remain valid.

Part 3: Signature

The signature is what makes JWTs trustworthy.

The signature is generated using the encoded header, encoded payload and a secret key or private key.

For HS256, the process is conceptually similar to:

HMACSHA256(
  base64Url(header) + "." + base64Url(payload),
  secret
)

The resulting value becomes the third section of the JWT.

Why the Signature Matters

Without the signature, attackers could simply modify the payload and grant themselves additional permissions.

For example, an attacker might change:

{
  "role": "user"
}

Into:

{
  "role": "admin"
}

However, modifying the payload changes the signature calculation. Because attackers do not possess the signing secret, they cannot generate a valid signature.

When the server verifies the token, the modified token is rejected.

How JWT Authentication Works

A typical authentication flow follows these steps:

Most APIs expect the token inside the Authorization header.

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Advantages of JWTs

JWTs offer several benefits compared to traditional server-side sessions.

Because the token contains the required information, servers often do not need to store session data. This makes JWTs particularly useful for distributed systems and microservices.

JWTs are also compact, portable and supported by virtually every major programming language.

Potential Drawbacks

JWTs are not perfect and can create security issues when used incorrectly.

One challenge is revocation. Once a token has been issued, it usually remains valid until expiration. Logging out a user does not automatically invalidate an existing token unless additional mechanisms are implemented.

Another issue is token size. Storing excessive information inside the payload increases request sizes and may negatively impact performance.

Best Practices

When using JWT authentication, follow several important security recommendations.

JWT vs Sessions

Traditional sessions store user data on the server while the browser stores only a session identifier.

JWTs move some of that information into the token itself. This reduces server storage requirements but introduces challenges such as token revocation and larger request sizes.

Neither approach is universally superior. The best choice depends on the application's architecture and requirements.

Conclusion

JWTs provide a flexible and efficient mechanism for authentication and authorization. Their structure is simple: a header describing the token, a payload containing claims and a signature that protects against tampering.

Understanding how these three parts work together is essential for building secure authentication systems. When implemented correctly, JWTs offer scalability, portability and strong security guarantees. When implemented poorly, they can expose sensitive information and create vulnerabilities.

The key takeaway is simple: the header identifies the token, the payload carries information and the signature provides trust. Understanding these components will help you use JWTs safely in modern applications.