• JSON Web Tokens are used for authentication and information exchange

• Three parts: Header (algorithm), Payload (claims), Signature (verification)

• Base64 encoded - Not encrypted, so don't store sensitive data

• Stateless - All information is contained within the token itself

• Common algorithms: HS256, RS256, ES256

• Never store secrets in JWT payload - it's only base64 encoded

• Verify signatures in production - this tool only decodes

• Check expiration - Always validate exp claim

• Use HTTPS - Prevent token interception

• Short expiration - Use refresh tokens for long sessions