We've established that Base64 isn't encryption and that you can't un-hash a password . JWTs are where both of those facts collide — and where the misunderstanding gets expensive, because this one has a CVE class named after it. Here's the claim that surprises people the first time: a JWT is not...
Source: [Dev.to](https://dev.to/anh_qunnguyn_57549060f/whats-actually-inside-a-jwt-and-why-decoding-one-isnt-verifying-it-5362)