The alg field is not validated here, so attackers can forge alg unless you verify properly.

JWE is not supported on this page.

Why is payload not JSON?

Some tokens use payloads that are not JSON; parsing will fail.

JWT Decoder Online – Inspect JSON Web Token Header & Payload

Debug tokens by decoding JWT segments to JSON. Remember: JWT decode is not verification—anyone can read standard JWT payloads unless encrypted (JWE).

JWT

Decoded

The first two segments are Base64url-decoded and parsed as JSON.

The third segment is shown as-is; verifying it needs the secret or public key and is not done here.

Decoding is not verification. Anyone can read a JWT’s payload unless it is encrypted (JWE).

Do not paste production tokens into untrusted sites. This tool runs locally but treat the machine as trusted.

Algorithm trust?: The alg field is not validated here, so attackers can forge alg unless you verify properly.
Encrypted JWT?: JWE is not supported on this page.
Why is payload not JSON?: Some tokens use payloads that are not JSON; parsing will fail.
Offline?: Yes.