JWT Structure
JWTs consist of three Base64Url-encoded parts: Header, Payload, Signature separated by dots (e.g., xxxxx.yyyyy.zzzzz).
Header
{"alg": "HS256", "typ": "JWT"}
Payload (Claims)
- Registered:
iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), jti (JWT ID).
- Public/Private claims for custom data.
Example:
{"sub": "1234567890", "name": "John Doe", "admin": true}
Signature
HMACSHA256(base64Url(header) + "." + base64Url(payload), secret)
Read the official introduction at jwt.io and RFC 7519 summary.