JWT Decoder Demystified: What is Inside Your Auth Token

JSON Web Token (JWT) has three parts separated by dots. Header (algorithm + token type), Payload (claims like sub, iss, exp, custom data), Signature (HMAC or RSA of header+payload using a secret). The header and payload are base64-URL encoded but NOT encrypted — anyone can read them. Only the signature proves the token was issued by you. Always verify the signature server-side before trusting any claim. Common mistakes: trusting the alg header (an attacker can change it to "none"), storing JWTs in localStorage (XSS-vulnerable; prefer httpOnly cookies). Our JWT Decoder shows you exactly what is in any token.