JWTs are Base64URL-encoded JSON. That's it. That's the whole secret. There's no encryption, no obfuscation, no magic — anyone who can see the token can read everything in the payload. I see this misunderstanding in production code constantly.
The structure is dead simple: three dot-separated segments. Header, Payload, Signature. Each one is Base64URL-encoded JSON (or, in the case of the signature, bytes). Paste a JWT into the tool and you'll see all three decoded instantly. The payload might contain {"sub":"user123","role":"admin","exp":1700000000} — all of that is visible to anyone intercepting the token.
This is why you don't put sensitive data in a JWT. Passwords, PII, credit card numbers — none of these belong in an unencrypted payload. Use JWE (JSON Web Encryption) if you need confidentiality. But honestly most JWTs are JWS (signed, not encrypted) and that's fine as long as you treat the payload as public.
The alg field in the header is where things get dangerous. That "alg: none" vulnerability? It's real and it's still out there. A token with "alg":"none" and no signature — forgeable by anyone. Production servers must never accept alg:none. Enforce the expected algorithm on the verification side, don't trust what the token claims.
Check the exp claim every time. A JWT without expiration is valid forever — leak one and you've given an attacker permanent access. Short-lived tokens (15 minutes) plus refresh tokens is the standard pattern.
The signature verification tab here is useful when you're debugging auth flows. Paste your server's secret (HMAC) or public key (RSA/ECDSA) and the tool tells you whether the signature matches. Doesn't match? Someone tampered with the payload, or you're using the wrong key.
I've wasted hours on "my auth doesn't work" only to discover the client is re-encoding the token somewhere in the chain and mangling the Base64URL into regular Base64. JWTs use Base64URL (no +, no /, no =) — substitute in regular Base64 and the decoder will choke. The tool handles both, which saves you the same debugging time.