JWTs are often used for authentication and API authorization, but they are not encrypted containers. Header and Payload can be decoded directly.
xxxxx.yyyyy.zzzzz
header.payload.signatureA JWT usually has three dot-separated parts: Header, Payload, and Signature.
What Do the Three Parts Mean?
| Part | Contains | Encrypted? |
|---|---|---|
| Header segment | Algorithm and token type, such as alg and typ | No |
| Payload segment | Claims such as sub, exp, and role | No |
| Signature segment | A signature calculated with a secret or private key | Used for integrity |
Safety Rules for Inspecting JWTs
- Do not paste real production tokens into untrusted websites.
- Do not store passwords, identity numbers, payment data, or other sensitive values in Payload.
- Being able to read Payload does not mean the token is valid; expiration and signature still matter.
- HS256 verification requires a secret; never expose a production secret to frontend code or third-party pages.
- Browser-local decoding is better than uploading sensitive tokens to a server-based tool.
Common Claims
| Claim | Meaning | What to check |
|---|---|---|
| sub | Subject or user ID | Is it the expected user? |
| exp | Expiration time | Usually a Unix timestamp |
| iat | Issued-at time | Is the token too old? |
| aud | Audience | Is it meant for this service? |
| iss | Issuer | Does it come from the expected authority? |
Summary
JWT Header and Payload are convenient for debugging, but they are not private. Safe JWT usage depends on signature keys, expiration, and careful claim design.