The algorithm used to make the signature (i.e. the alg property) is choosen by identity provider. By default, jwt.io use HS256, whereas Cognito (i.e. the identity provider of AWS that I used for the example) use RS256.

Both algorithms has the same goal but act in two different ways (and I will paste an excerpt of this great stackoverflow answer):
• RS256: is an asymmetric algorithm, and it uses a public/private key pair: the identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature. Since the public key, as opposed to the private key, doesn’t need to be kept secured, most identity providers make it easily available for consumers to obtain and use (usually through a metadata URL).
• HS256: involves a combination of a hashing function and one (secret) key that is shared between the two parties used to generate the hash that will serve as the signature. Since the same key is used both to generate the signature and to validate it, care must be taken to ensure that the key is not compromised.

Anyway, in jwt.io, you can change the algorithm used.

Hope that helps
Bye