JWT Signature Verifier

How do I verify a JWT signature online?

Enter your JWT token, paste the secret key used to sign it, select the algorithm (HS256/384/512), and click Verify. The tool computes the signature locally and compares it.

What JWT algorithms can I verify in a browser?

HMAC algorithms (HS256, HS384, HS512) work client-side because they use a symmetric secret. RSA (RS256) and ECDSA (ES256) need asymmetric keys and typically require server-side verification.

Why does my JWT signature verification fail?

Three common causes: wrong secret key, wrong algorithm selected, or the token was modified after signing. Double-check all three. Remember that secrets are case-sensitive.

Is my secret key safe when verifying online?

Yes, if using a client-side tool like this one. Verification happens entirely in your browser using WebCrypto API. Your secret never gets transmitted anywhere.

Why can't I verify RS256 JWT tokens in the browser?

RS256 uses RSA asymmetric encryption. You need the public key (not the private key) to verify. Public keys are often served from a JWKS endpoint, which requires server-side fetching.

What does "Invalid Signature" mean for a JWT?

The signature in your token doesn't match what would be computed with your secret. Either the secret is wrong, the algorithm is wrong, or someone modified the token after it was signed.

Can a JWT have a valid signature but still be expired?

Yes. Signature verification and expiration checking are separate. A token can be cryptographically valid but have an "exp" claim set to a time in the past, making it logically invalid.

How do I find my JWT secret key?

The secret is set by whoever created the token (your auth server or API). Check your environment variables, config files, or auth provider dashboard. Never commit secrets to version control.