JWT Header

The JWT header is the first segment of a token, a base64url-encoded JSON object that typically includes alg (signing algorithm) and typ (token type, usually JWT). Optional fields include kid (key identifier) and cty (content type). Verifiers must read the header before verification to select the correct key and algorithm. The header is signed along with the payload, so tampering invalidates the signature. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail.

Why It Matters

The alg header is a frequent attack surface. Accepting attacker-controlled algorithm values — especially none or HS256 with a public RSA key — causes algorithm confusion vulnerabilities. Always enforce an allowlist of expected algorithms in your verifier configuration. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Code Example

Standard JWT header
{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "primary-key"
}

Related Terms

Related Tools

Related Articles

Frequently Asked Questions

What fields belong in the JWT header?

At minimum alg and typ. Add kid when multiple signing keys are active. Avoid unnecessary custom header fields. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Can attackers change the header?

They can try, but changing alg or kid without a valid signature causes verification to fail when properly implemented. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

What does typ JWT mean?

It indicates a JSON Web Token per RFC 7519. Some nested token formats use different typ values. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.