Paste your JWT token to decode its header, payload, and signature
JWTs are a compact, URL-safe means of representing claims between two parties.
JWT consists of three parts:
JWT payload is only base64 encoded, not encrypted. Never put sensitive data in JWT claims.
Issuer - identifies who issued the JWT
Subject - identifies the subject of the JWT
Audience - identifies recipients
Expiration Time - when token expires
Issued At - when token was issued
Check if alg=none is accepted or if RS256 can be changed to HS256
Try brute forcing the HMAC secret with common passwords
Modify user roles, permissions, or expiration times