A JSON Web Token is three base64url-encoded segments separated by dots: header.payload.signature. The header declares the signing algorithm (alg) and token type; the payload carries the claims — who the token is about (sub), who issued it (iss), and when it expires (exp).
Base64url is an encoding, not encryption: anyone holding a JWT can read its contents, which is exactly what this tool does. Never put secrets in a JWT payload. What makes a JWT trustworthy is the signature, which only the holder of the signing key can produce.
This decoder deliberately does not verify signatures — that requires the secret or public key and belongs in your backend. Use it to debug why a token is rejected: wrong audience, expired exp, clock skew on nbf, or an unexpected algorithm.