Some facts:

• A JWT token is a set of alphanumeric characters divided in three sections separated by a dot (.). The first section represents the heading, the second one the payload and the third one the signature.
• All attributes are named with 3 letters because of performance reasons.
• In the heading, alg is the algorithm used to calculate the signature, typ is the token type (JWT in this case). Don't put sensitive information in your heading.
• In the payload, iss is the issuer, aud is the audience, iat is the issued at timestamp, exp is the expiration timestamp. These attributes are also known as claims. Don't put sensitive information in your payload.
• The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
• Read the RFC at draft-jones-json-web-token-07 or RFC-7519.