JWT Signature Verifier
Verify JWT token signatures with key validation and expiration checking
Enter the JWT token you want to verify
Select the algorithm used to sign the token
The secret key must match the one used to sign the token
What is JWT Signature Verification?
JWT signature verification validates that a JSON Web Token is authentic and hasn't been tampered with. Unlike simple decoding, verification uses the secret key (for HMAC algorithms) or public key (for RSA algorithms) to cryptographically confirm the token's integrity. This tool also checks expiration times and other standard claims.
How to Use
- Paste your JWT token into the input field
- Select the algorithm that was used to sign the token
- Enter the secret key (for HMAC) or public key (for RSA)
- Click "Verify JWT" to validate the signature
- Review the verification result and decoded payload
Supported Algorithms
- HS256, HS384, HS512: HMAC algorithms using shared secret keys. Fast and simple, but both parties need the same secret.
- RS256, RS384, RS512: RSA algorithms using public/private key pairs. More secure for distributed systems since you can share the public key safely.
Example
Token signed with HS256 and secret "my-secret-key":
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzAwMDAwMDAwfQ.signatureVerification with correct secret: ✅ Valid
Verification with wrong secret: ❌ Invalid signature
What Gets Verified
- Signature Integrity: Confirms the token hasn't been modified
- Expiration (exp): Checks if the token has expired
- Not Before (nbf): Checks if the token is valid yet
- Algorithm Match: Ensures the algorithm matches expectations
Security Best Practices
- Always verify JWT signatures on your backend server, never in the browser for production
- Use strong, randomly generated secrets (at least 256 bits for HS256)
- Set appropriate expiration times - shorter is more secure
- Never include sensitive data in JWT payloads (they're not encrypted)
- Rotate secrets and keys regularly
Privacy Notice
All JWT verification happens entirely in your browser. Your tokens, secrets, and keys are never transmitted to any server, ensuring complete privacy. However, this tool is for development and testing only - never use production secrets in browser-based tools.
Frequently Asked Questions
What's the difference between decoding and verifying a JWT?
Decoding simply reveals the JWT's contents by Base64URL-decoding the header and payload. Verification checks the signature using the secret or public key to ensure the token is authentic and hasn't been tampered with. This tool verifies signatures - it validates that the token is genuine and trustworthy.
Should I use this tool with production secrets?
No, this tool is for testing and development only. Never enter production secrets or private keys in browser-based tools. Always verify JWTs on your secure backend server in production environments where secrets can be properly protected.
What's the difference between HMAC and RSA verification?
HMAC algorithms (HS256, HS384, HS512) use a shared secret key for both signing and verification. RSA algorithms (RS256, RS384, RS512) use public/private key pairs - tokens are signed with the private key and verified with the public key. RSA is safer for distributed systems since you can share the public key without compromising security.
Why does verification fail with "Invalid signature"?
This error means the signature doesn't match the token's content. Common causes: using the wrong secret/key, the token was tampered with, or the algorithm doesn't match the one used to sign the token. Make sure you're using the exact same secret and algorithm that was used to create the token.
What happens if my token is expired?
The verifier checks the 'exp' (expiration) claim and will fail verification if the current time is past the expiration time. This is a security feature - expired tokens should not be trusted. You'll see a clear error message indicating the token has expired.
Can I verify tokens without the secret key?
No, you need the secret key (for HMAC algorithms) or the public key (for RSA algorithms) to verify signatures. Without the correct key, verification will always fail. This is by design - only parties with the key can verify token authenticity.