You've seen JWT tokens everywhere — in Authorization: Bearer eyJ... headers, in cookies, in OAuth flows. But do you know what's actually inside one? This post explains JWT structure from scratch, how to decode them manually, what each claim means, and the mistakes developers make when trusting them. What Is a JWT? A JWT (JSON Web Token) is a compact, URL-safe string that represents a set of claims. Claims are facts about a subject — usually a user — such as their ID, email, role, or when their session expires. A JWT looks like this: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJBbGljZSIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwNDA2NzIwMCwiZXhwIjoxNzA0MDcwODAwfQ.SIGNATURE_HERE Enter fullscreen mode Exit fullscreen mode It has exactly three parts separated by two dots: Header — algorithm and token type Payload — the claims (the actual data) Signature — verifies the token hasn't been tampered with Why Three Parts? Part 1: The Header The header is a Base64URL-encoded JSON object.…