A jwt look like this: (No worry, it has already been expired a long time ago)
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmYWtlX2xvZ2luIiwiZXhwIjoxNjA0NTM4ODIwLCJyb2xlcyI6IlJPTEVfVVNFUiwifQ.dIhtHS77agSc7_Wrkzn429aZeuWWXkXLopnMYBDJdZs
A JWT consist of 3 parts, header
, payload
, and verify signature
, and the are separated by .
In the about case, we have:
//Header eyJhbGciOiJIUzI1NiJ9 //Payload eyJzdWIiOiJmYWtlX2xvZ2luIiwiZXhwIjoxNjA0NTM4ODIwLCJyb2xlcyI6IlJPTEVfVVNFUiwifQ //Verify signature dIhtHS77agSc7_Wrkzn429aZeuWWXkXLopnMYBDJdZs
The all part are encoded using base64, so you can use a base64 decoder to view the content. For example eyJhbGciOiJIUzI1NiJ9 ========base64 decode=====⇒ {“alg”:“HS256”}. You can play around in https://www.base64decode.org/. Likewise for the Payload, so if the token is leaked, the payload can be read by anyone! All in all, you do not want the token to be leaked, and share around even if it has already expired
It might still contain sensitive information.
The verify signature is the signature of the algorithm mentioned in the header of base64 encoded header and base64 encoded payload with a “.” in the middle. In this case it the result of HS256(eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmYWtlX2xvZ2luIiwiZXhwIjoxNjA0NTM4ODIwLCJyb2xlcyI6IlJPTEVfVVNFUiwifQ).
jwt.io has an interactive JWT encode/decoder, you can play it around on https://jwt.io/.