You've seen this string a thousand times: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c Enter fullscreen mode Exit fullscreen mode You know it's a JWT. You know it sits in Authorization: Bearer β¦ . You know it does something with auth. But if I asked you what the three dot-separated parts actually contain β and whether your service can trust any of them β could you answer without Googling? Most developers can't, and that gap is where a surprising number of production security bugs live. This post is the walk-through I wish I'd had three years ago. Real token, real decode, the security claims that are true, and the ones that aren't. A JWT in three parts Every JSON Web Token has the form <header>.<payload>.<signature> , separated by dots. Each segment is base64url-encoded β note the url part; it's not the same as regular base64, which is why naive atob() calls sometimes blow up.β¦
