The alg field is not validated here, so attackers can forge alg unless you verify properly.

JWE is not supported on this page.

Why is payload not JSON?

Some tokens use payloads that are not JSON; parsing will fail.

Decode JWT online

Paste a JWT (three Base64url segments). JSON is formatted for reading.

JWT

Decoded

The first two segments are Base64url-decoded and parsed as JSON.

The third segment is shown as-is; verifying it needs the secret or public key and is not done here.

Decoding is not verification. Anyone can read a JWT’s payload unless it is encrypted (JWE).

Do not paste production tokens into untrusted sites. This tool runs locally but treat the machine as trusted.

Algorithm trust?: The alg field is not validated here, so attackers can forge alg unless you verify properly.
Encrypted JWT?: JWE is not supported on this page.
Why is payload not JSON?: Some tokens use payloads that are not JSON; parsing will fail.
Offline?: Yes.