JWT ecosystem / Guide

JWT Explained: Header, Payload, Signature and Claims

Understand how JSON Web Tokens work, what JWT decoding means, and which claims developers should inspect first.

What a JWT contains

A JWT usually has three Base64URL sections: header, payload and signature. The header describes the token type and algorithm, the payload contains claims, and the signature helps the server verify integrity.

Decode JWT locally

Claims to inspect first

Check exp, iat, iss, aud, sub, scope, roles and tenant identifiers. These explain why a token is accepted, rejected or missing permissions.

Decoding is not verification

Decoding makes the token readable. It does not prove the signature is valid. Verification requires the correct secret or public key.