A JWT is usually a signed JWS; to hide the content you use an encrypted JWE. Here is the difference.
JWS (signed): only signs the header and payload. The content is base64url and readable by anyone; only tampering is verified — this is the JWT you usually see.
JWE (encrypted): encrypts the payload to hide the content. Unreadable without the key, used for sensitive data, with a five-part structure (four dots).
Most 'JWTs' are JWS. This decoder decodes JWS (JWE needs a decryption key).
In short: integrity only → JWS; confidentiality too → JWE (or JWS over TLS).
Try decoding a token yourselfJust paste and the header, payload and claims unfold instantly.