This decodes, it does not verify. It reads the header and payload, which are not encrypted, only encoded. It does not and cannot check the signature, so a decoded token is not a trusted one. Do not paste a live token for an account you care about into any tool you do not control.
Headerstamped
.
Payloadstamped
.
Time claims
Signature: paste a token to read its parts.
A JWT is three base64url parts joined by dots: header, payload, signature. The first two are decoded here. The signature is shown as present but is never verified, since verification needs the secret or public key and belongs on your server, not in a browser tool.