The first segment of a JWT is the header, a base64url-encoded JSON object that describes how the token is signed. The most important field is alg, which specifies the signing algorithm: HS256 (HMAC-SHA256, symmetric), RS256 (RSA-SHA256, asymmetric with public/private keys), or ES256 (ECDSA, used by modern OAuth providers). The typ field is almost always JWT. Understanding the header algorithm is critical when you encounter signature verification errors — matching the algorithm in your backend code to the one declared in the header resolves the majority of JWT authentication bugs.