You've seen them: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
That's a JWT. Three base64-encoded parts separated by dots. Understanding what's inside is crucial for modern web development.
The Three Parts
A JWT has three components: header, payload, and signature. Each is Base64URL-encoded and separated by a dot.
The header typically contains the algorithm (HS256, RS256) and token type (JWT).
The payload contains the claims—statements about the user or subject. Standard claims include "iss" (issuer), "exp" (expiration), and "sub" (subject).
The signature verifies the token hasn't been tampered with.
What Claims Should You Include?
Standard claims: exp (when it expires), iat (when it was issued), sub (who it's about).
Custom claims: user_id, roles, permissions, email—whatever your application needs.
The Security Reality
JWTs are signed, not encrypted. Anyone can decode the Base64 and read the payload. Only the signature is secret (if using symmetric algorithms like HS256) or private key (if using asymmetric like RS256).
Never put sensitive data like passwords in a JWT payload. Anyone can decode it.
How to Validate
Always verify the signature. Check the expiration. Validate the issuer and audience claims if you use them. Use a well-tested library—don't roll your own validation.