JWT Structure Explained
A JWT string looks like `xxxxx.yyyyy.zzzzz`. The first segment is the header (JSON with algorithm info), the second is the payload (claims), and the third is the signature (HMAC or asymmetric proof). Each segment is Base64URL-encoded JSON or bytes — not encrypted.
Header
Example: `{"alg":"HS256","typ":"JWT"}`. Defines how the signature was created.
Payload
Claims like `sub`, `exp`, `iat`. Custom claims are allowed but should be namespaced to avoid collisions.
Signature
Created from `base64url(header) + '.' + base64url(payload)` signed with a secret or private key. Verification recomputes and compares.
Inspecting tokens safely
Decoding shows claims for debugging but does not prove authenticity. Pair visual inspection with server-side verification libraries. Rotate secrets if a token may have leaked.
Algorithm choice
Prefer RS256 or ES256 for public clients; HS256 requires sharing a symmetric secret. Never expose signing secrets in frontend code.