Question 1

How does JWT signature verification work?

Accepted Answer

The signature is computed over the header and payload (base64url-encoded, joined by a dot). For HMAC (HS256/384/512), the server signs with a secret; you verify by computing the same HMAC with the secret and comparing. For RSA (RS256), the server signs with a private key; you verify with the public key.

Question 2

Why can't I verify my RS256 JWT?

Accepted Answer

RSA verification requires the public key in PEM format (-----BEGIN PUBLIC KEY-----). Some PEM keys use PKCS#1 (-----BEGIN RSA PUBLIC KEY-----) which browsers don't support directly — convert to SPKI format. If verification fails, check the key matches the issuer and the JWT hasn't been modified.

Question 3

Is it safe to paste my JWT here?

Accepted Answer

Yes. All processing runs in your browser. Your JWT and secret/key are never sent to any server. Be cautious with tokens that contain sensitive claims — anyone with the token can decode the payload. Don't share tokens or keys in screenshots or logs.

Question 4

What does 'unable to verify' mean?

Accepted Answer

This appears when the algorithm requires a key (HMAC secret or RSA public key) but none was provided, or when the key format is invalid. For RS256, ensure you paste a PEM public key. For HS256, paste the secret used to sign the token.

Question 5

What about ES256 (ECDSA)?

Accepted Answer

Web Crypto supports ECDSA. This tool focuses on HMAC and RSA. For ES256/384/512, you'd need to import an EC public key. The decode and algorithm detection work the same; only the verification step would need EC key support.

JWT Signature Verifier

JWT

Secret (HMAC) or Public Key (RSA, PEM)

JWT Signature Verification

HMAC vs RSA

When to Verify JWTs

Frequently Asked Questions

How does JWT signature verification work?

Why can't I verify my RS256 JWT?

Is it safe to paste my JWT here?

What does 'unable to verify' mean?

What about ES256 (ECDSA)?

Related Tools

Explore More Tools