Advertisement
JWTs have three base64url-encoded parts: header.payload.signature.
What you're seeing
JSON Web Tokens carry claims in three dot-separated base64url-encoded parts: header (algorithm), payload (claims), signature (verifying integrity).
Anyone can decode the payload — JWTs are signed, not encrypted. Never put secrets in claims.
Standard claims: iss (issuer), sub (subject), aud (audience),
exp (expiry), iat (issued at), nbf (not before).
★ KEY TAKEAWAY
JWTs are signed, not encrypted. Anyone can decode the payload — never put secrets in claims.
▶ WHAT TO TRY
- Paste a JWT or use the sample.
- See the three base64url parts: header, payload, signature.
- Check the expiry — exp claim tells you if it's still valid.