A JWT is composed of three parts, separated by a period (.):
<header>.<payload>.<signature>
- Header: a JSON object that contains information about the token, such as its type and the algorithm used to produce the signature, for example, { "alg": "HS512", "typ": "JWT" }.
- Payload: A JSON object contains a set of claims, such as its identity and permissions, for example, { "sub": "e@ma.il" }.
- Signature: A string that is either a Message Authentication Code (MAC) or digital signature. The purpose of the signature is to ensure the authenticity and integrity of the payload.
The header and payload are then base-64 encoded to ensure they are compact. A simple JWT may look like this (new lines have been inserted for readability): ...