What is JWT? From Concept to Structure Explained
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. Defined in RFC 7519, JWTs are the backbone of modern stateless authentication.
The Three-Part Structure
A JWT consists of three Base64URL-encoded parts separated by dots:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkpvaG4iLCJpYXQiOjE1MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
HEADER PAYLOAD SIGNATUREHeader
{
"alg": "HS256",
"typ": "JWT"
}Specifies the signing algorithm and token type.
Payload (Claims)
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}Contains the claims — statements about the user and metadata. Standard claims include:
| Claim | Name | Description |
|---|---|---|
| `iss` | Issuer | Who created the token |
| `sub` | Subject | Who the token refers to |
| `aud` | Audience | Who the token is intended for |
| `exp` | Expiration | When the token expires (Unix timestamp) |
| `iat` | Issued At | When the token was created |
| `jti` | JWT ID | Unique identifier for the token |
Signature
HMAC-SHA256(
base64url(header) + "." + base64url(payload),
secret
)The signature ensures the token hasn't been tampered with. Only someone with the secret key can produce a valid signature.
How JWT Authentication Works
1. User logs in with credentials
2. Server validates credentials, creates a JWT signed with its secret
3. Server returns the JWT to the client
4. Client includes the JWT in subsequent requests: Authorization: Bearer
5. Server validates the signature and extracts claims — no database lookup needed
This stateless design is why JWTs scale so well in distributed systems.