If you've worked with any modern authentication system — OAuth, Firebase Auth, Auth0, a custom login flow — you've run into a JWT. It looks like meaningless noise at first glance: three chunks of random-looking text separated by dots. It's not random at all, and you don't need a library to read it.

The three parts

A JWT is always structured as header.payload.signature. Each of the first two parts is a JSON object, Base64URL-encoded into text. The third part is a cryptographic signature that proves the token wasn't tampered with — but critically, it does NOT encrypt the header or payload. Anyone can decode and read them without a secret key.

The header

Usually just two fields: alg (the signing algorithm, commonly HS256 or RS256) and typ (always "JWT"). Not much to see here — it's metadata about the token itself.