We've established that Base64 isn't encryption and that you can't un-hash a password. JWTs are where both of those facts collide — and where the misunderstanding gets expensive, because this one has a CVE class named after it.
Here's the claim that surprises people the first time: a JWT is not encrypted, and anyone holding one can read every claim inside it without a key, a library, or your permission. That's not a bug. But if you don't know it, you will eventually put something in a token that shouldn't be there.
Three dots, three parts
A JWT is a string with exactly two dots in it:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWxpY2UiLCJhZG1pbiI6dHJ1ZX0.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk






