JWTs are Base64URL Encoded Strings
July 18, 2026TIL a JWT (JSON Web Token) is a couple Base64URL encoded strings with a
signature. A JWT takes the structure <header>.<payload>.<signature>. The
header and payload of a JWT aren’t secret (they’re Base64URL encoded). The
magic of JWTs is how the signature is calculated. Calculate the signature by
Base64URL encoding the header and payload then hashing with a secret
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret).
Modifying the header or payload changes the signature–making the data
untrustworthy.