JWTTokenBase64URLAuthentication

What Is a JWT and How Do You Safely Inspect Header and Payload?

A JWT has three parts: Header, Payload, and Signature. Header and Payload are Base64URL encoded, not encrypted, so anyone with the token can decode them.

Published July 2, 2026 · 7 min read

JWTs are often used for authentication and API authorization, but they are not encrypted containers. Header and Payload can be decoded directly.

xxxxx.yyyyy.zzzzz
header.payload.signature

A JWT usually has three dot-separated parts: Header, Payload, and Signature.

What Do the Three Parts Mean?

PartContainsEncrypted?
Header segmentAlgorithm and token type, such as alg and typNo
Payload segmentClaims such as sub, exp, and roleNo
Signature segmentA signature calculated with a secret or private keyUsed for integrity

Safety Rules for Inspecting JWTs

  • Do not paste real production tokens into untrusted websites.
  • Do not store passwords, identity numbers, payment data, or other sensitive values in Payload.
  • Being able to read Payload does not mean the token is valid; expiration and signature still matter.
  • HS256 verification requires a secret; never expose a production secret to frontend code or third-party pages.
  • Browser-local decoding is better than uploading sensitive tokens to a server-based tool.

Common Claims

ClaimMeaningWhat to check
subSubject or user IDIs it the expected user?
expExpiration timeUsually a Unix timestamp
iatIssued-at timeIs the token too old?
audAudienceIs it meant for this service?
issIssuerDoes it come from the expected authority?

Summary

JWT Header and Payload are convenient for debugging, but they are not private. Safe JWT usage depends on signature keys, expiration, and careful claim design.