A JWT has three dot-separated parts: header.payload.signature. Header declares the algorithm (HS256, RS256, ES256). Payload is JSON with claims (sub, iat, exp, custom fields). Signature proves the JWT wasn't tampered with — verified by your server using a shared secret (HS) or a public key (RS / ES).
Use cases: stateless auth (the JWT IS the session — no server-side lookup), API tokens, OAuth access/ID tokens.
Common pitfalls: forgetting to verify the signature (treating the token as trusted just because it parses), using the alg=none vulnerability (rejected by good libraries since 2015), and not checking exp. The /tools/jwt-decoder page lets you inspect a token without uploading it anywhere — useful when debugging.