ByteBench Guides

JWT Header, Payload, Signature Explained

Break down each JWT part and learn what can be trusted at each verification step.

Quick answer: JWT header describes signing metadata, payload stores claims, and signature protects integrity. Only a verified signature with policy checks makes claims trustworthy.

Header and payload meaning

The header typically contains `alg` and optional `kid`. The payload contains claims like `sub`, `exp`, `iss`, and `aud`.

Both header and payload are easily decodable; they should not contain confidential data.

  • Header identifies algorithm/key metadata.
  • Payload carries identity and context claims.
  • Decoded content is not proof of validity.

What signature verification proves

A valid signature proves token integrity relative to a specific key and algorithm.

It does not prove the token is currently allowed by your application policy.

  • Signature valid -> token not modified since signing.
  • Still validate claim semantics and authorization context.
  • Reject tokens that fail time-based claim checks.

Related tools

Use these tools while following this guide. They are the fastest path from concept to verified output.

JWT Decoder

Decode JWT headers and payloads locally, then verify HS, RS, and ES signatures with provided secrets or keys.

Category: Encoding Tools

Base64 Decode and Encode

Encode and decode Base64 and Base64URL strings locally.

Category: Encoding Tools

Unix Timestamp Converter

Convert Unix timestamps to dates and dates to epoch seconds or milliseconds.

Category: IDs and Time

Related guides

What Is JWT?

Understand what JWT is, what it contains, and how it fits into modern auth systems.

JWT Security Risks

Common JWT implementation risks and how to avoid auth vulnerabilities in production systems.

All guides

Browse every ByteBench guide by cluster.

FAQ

Can I trust `alg` directly from token header?

No. Your server should enforce allowed algorithms independently and never trust arbitrary header values.

Why does an expired token still verify signature?

Signature integrity and claim validity are separate checks. Expiration is a policy check after cryptographic verification.

Should payload include user roles?

It can, but keep claims minimal and avoid exposing sensitive data that could leak through logs or client storage.