JWT structure in three parts
A JSON Web Token is dot-separated Base64URL segments: header, payload, and signature. The header names the signing algorithm and token type. The payload carries claims—statements about the subject, issuer, audience, expiration, and custom fields.
The signature proves integrity and authenticity when validators know the secret or public key. Decoding reveals JSON content anyone with the token string can read; JWTs are signed, not encrypted, unless you use nested JWE formats this tool may not cover.
Never treat payload contents as secret just because strings look opaque. Client-side storage of JWTs exposes claims to XSS; put only non-sensitive data in payloads when possible.
Three-segment compact serialization is the common case; nested JWTs as claims are advanced patterns this decoder may not expand automatically.
Token size affects HTTP header limits— enormous custom claims break proxies before signature validation ever runs.