The signature of a JSON web token ensures that the token was not altered at any point. If the token is signed with a secret key, then the signature also verifies the sender of the token. The signature is a hash that consists of the encoded header, the encoded payload, and the secret key using the hashing algorithm specified in the header. The following is an example:

HMACSHA256(  base64UrlEncode(header) + "." +  base64UrlEncode(payload),  secretKey)