What is inside a JWT?
A JSON Web Token is three Base64URL-encoded segments joined by dots:
header.payload.signature. The header declares the signing algorithm
(alg) and token type; the payload carries the claims — standard ones like
sub (subject), iss (issuer), exp (expiry) and
iat (issued at), plus whatever custom claims your identity provider adds; the
signature lets the receiving server verify the token was not tampered with.
Because the first two segments are just Base64URL (see our
Base64URL tool), anyone can read a JWT — which is exactly what
this tool does when you debug an Authorization: Bearer header from your logs,
check why a token was rejected (expired? wrong audience? clock skew on nbf?), or
inspect what claims your OAuth/OIDC provider actually issues. Never put secrets in JWT
payloads, and never trust a decoded token without verifying its signature server-side.