## The Token That Proves Who You Are When you log into a modern web app, the server often gives you a **JWT (JSON Web Token)** — a small string you send with every future request to prove you're logged in. A JWT looks like three Base64-encoded chunks separated by dots: ``` eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 . eyJzdWIiOiJqb2huIiwicm9sZSI6InVzZXIifQ . SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ``` The three parts are: | Part | Contains | Colour in JWT.io | |---|---|---| | **Header** | Algorithm used to sign | Red | | **Payload** | Your claims (username, role, etc.) | Purple | | **Signature** | Proof the token wasn't tampered with | Blue | --- ### Reading the Payload The payload is just Base64 — anyone can decode it. Try pasting a token into **jwt.io** and you'll see something like: ```json { "sub": "john", "name": "John Smith", "role": "user", "iat": 1716000000 } ``` This is **not encrypted**. Anyone who holds the token can read these claims. The security comes from the **signature** — not from hiding the data. --- ### The Signature Is the Lock The signature is created like this: ``` HMAC-SHA256( header + "." + payload, SECRET_KEY ) ``` If you change the payload (e.g. change `"role":"user"` to `"role":"admin"`) without knowing the secret, the signature won't match. The server rejects the token. **Unless** the secret is weak enough to crack.