Attack JWT is a URL safe, stateless protocol for transferring claims. A JWT token looks something like this: Header.UserStateInformation.Signature Sample: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ The information in token are separated by dots. The first and second part can be easily converted to ascii as they are base64 encoding of plain text. That being said lets dig in to these three parts of JWT token, header contain information about the algo used to encrypt (correct term would be hash generation :P).