Decoding JWT Tokens to Read Payload Claims (No Install Required)

JWT (JSON Web Token) is everywhere in modern authentication — if you've worked with any REST API, OAuth flow, or session-based auth system in the past five years, you've almost certainly encountered one. But a raw JWT looks like meaningless gibberish: three chunks of characters separated by dots. Understanding what's actually inside is straightforward once you know the structure.

What does a JWT token actually contain?

A JWT has three base64url-encoded parts separated by periods: