## Decoding JSON Web Tokens JSON Web Tokens (JWT) are widely used for stateless authentication and authorization. A JWT consists of three parts separated by dots: 1. **Header**: Contains metadata about the algorithm and token type. 2. **Payload**: Houses the core user claims, roles, scopes, and expiration details. 3. **Signature**: Validates that the token has not been altered. ### Base64URL Encoding vs. Encryption A common misconception is that JWTs are encrypted. In reality, they are merely **encoded** using the Base64URL format. Anyone with access to the token string can read the header and payload claims. - **Do not store private secrets** (like passwords, keys, or credentials) inside a JWT payload. - **Always verify the signature** on your backend server before trusting the token data. Using our local **JWT Decoder**, you can securely paste and inspect your tokens without transmitting them over HTTP, protecting your credentials during testing.