TIL a JWT (JSON Web Token) is a couple Base64URL encoded strings with a
signature. A JWT takes the structure <header>.<payload>.<signature>. The
header and payload of a JWT aren’t secret (they’re Base64URL encoded). The
magic of JWTs is how the signature is calculated. Calculate the signature by
Base64URL encoding the header and payload then hashing with a secret
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret).
Modifying the header or payload changes the signature–making the data
untrustworthy.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJtZXNzYWdlIjoiSGVsbG8sIFdvcmxkISJ9.
PDCAOVDBAyeZBAm_YIKD_RmoxMCObOqUXbLg9dEp6zM
Introduction: jwt.io
Spec: RFC 7519