The part when the JWT is decrypted and you extract the payload from it.
Lars Wächter JWTs aren't necessarily encrypted. The data is base64 encoded, but can be decoded easily. The key is that the signature can only be generated from the contents of the JWT being signed by a secret of some sort.