TIL a JWT (JSON Web Token) is a couple Base64URL encoded strings with a signature. A JWT takes the structure <header>.<payload>.<signature>. The header and payload of a JWT aren’t secret (they’re Base64URL encoded). The magic of JWTs is how the signature is calculated. Calculate the signature by Base64URL encoding the header and payload then hashing with a secret HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret). Modifying the header or payload changes the signature–making the data untrustworthy.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJtZXNzYWdlIjoiSGVsbG8sIFdvcmxkISJ9.
PDCAOVDBAyeZBAm_YIKD_RmoxMCObOqUXbLg9dEp6zM

Introduction: jwt.io

Spec: RFC 7519