Decode a JWT's header and payload and inspect its claims. Signature is not verified.
No. This only decodes the header and payload, which are base64url-encoded but not encrypted — anyone can read them without a key. Signature verification requires the secret or public key and isn't performed here.
No — decoding happens entirely in your browser. That said, treat real tokens as sensitive and avoid pasting production tokens into any third-party tool you don't fully trust.