The signature is formed as follows:
- The header is base64 encoded: base64(header).
- The payload is base64 encoded: base64(payload).
- Now join the values in Step 1 and Step 2 with a "." in the middle:
base64UrlEncode(header) + "." +base64UrlEncode(payload)
- Now, the signature is attained by hashing, using the algorithm specified in the header, the value attained in Step 3, and then appending it with the secret text (say packtpub) of your choice:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
packtpub
)
The final JWT is as shown here:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRlc3QgVXNlciIsImlhdCI6MTUxNjIzOTAyMn0.yzBMVScwv9Ln4vYafpTuaSGa6mUbpwCg84VOhVTQKBg
The website https://jwt.io/ is a place I always visit for any of my JWT needs. The sample data used in this example is from that site:
Figure 2: Screen grab from https://jwt.io/