Paste a JWT token. The server will verify and decode it.
Hint 1: Login first to get a valid token, then decode it at jwt.io — the secret is "secret".
Hint 2: Try changing the role to "admin" and re-signing with the same secret.
Hint 3: Try setting alg to "none" and removing the signature entirely.