====== What is JSON Web Token (JWT) ======
A jwt look like this: (No worry, it has already been expired a long time ago)
<code>
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmYWtlX2xvZ2luIiwiZXhwIjoxNjA0NTM4ODIwLCJyb2xlcyI6IlJPTEVfVVNFUiwifQ.dIhtHS77agSc7_Wrkzn429aZeuWWXkXLopnMYBDJdZs
</code>
A JWT consist of 3 parts, ''header'', ''payload'', and ''verify signature'', and the are separated by ''.''  In the about case, we have:

<code>
//Header
eyJhbGciOiJIUzI1NiJ9
//Payload
eyJzdWIiOiJmYWtlX2xvZ2luIiwiZXhwIjoxNjA0NTM4ODIwLCJyb2xlcyI6IlJPTEVfVVNFUiwifQ
//Verify signature
dIhtHS77agSc7_Wrkzn429aZeuWWXkXLopnMYBDJdZs
</code>

The all part are encoded using base64, so you can use a base64 decoder to view the content. For example eyJhbGciOiJIUzI1NiJ9 ========base64 decode======> {"alg":"HS256"}. You can play around in https://www.base64decode.org/. Likewise for the Payload, **so if the token is leaked, the payload can be read by anyone!** All in all, you ''do not want the token to be leaked, and share around even if it has already expired'' It might still contain sensitive information.

The verify signature is the signature of the algorithm mentioned in the header of base64 encoded header and base64 encoded payload with a "." in the middle. In this case it the result of HS256(eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmYWtlX2xvZ2luIiwiZXhwIjoxNjA0NTM4ODIwLCJyb2xlcyI6IlJPTEVfVVNFUiwifQ).

jwt.io has an interactive JWT encode/decoder, you can play it around on https://jwt.io/.