What's inside a JWT
A JSON Web Token has three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (the claims — user ID, roles, expiry), and a signature. The header and payload are only encoded, not encrypted, which is why any JWT can be decoded without a key.
Decoding is not verifying
This tool decodes tokens; it does not verify signatures. A decoded token tells you what it claims, not whether it's authentic. Signature verification requires the signing secret or public key and should happen on your server.
Is it safe to paste tokens here?
Yes — decoding happens entirely in your browser and the token is never transmitted. Still, treat live production tokens as credentials: prefer inspecting expired or development tokens where possible.