I can't understand the reasoning for making the claims/payload of a JWT publicly visible after base64 decoding it.
Why?
It seems like it'd be much more useful to have it encrypted with the secret.
Can someone explain why, or in what situation, keeping this data public is useful?
Best Answer
You choose not to encrypt the payload for the same reasons that you choose not to encrypt anything else: the cost (however small it is) exceeds the benefit, and a lot of data simply doesn't need to be secured that way.
What you mostly need protection against is people tampering with the data so that the wrong record gets updated, or someone's checking account gets money in it that it's not supposed to have. The JSON Web Token's signature accomplishes that, because changing any part of the header/payload/signature combination invalidates the packet.
Note that you can still secure the packets at the Transport Layer by using SSL.