Free, browser-based utilities for everyday developer workflows

Verify a JWT signature

Check whether a JWT is authentic: verify the signature with the HMAC secret or the issuer's public key, confirm the algorithm, and read the claims and expiry — all locally.

Open this example in JWT & OAuth Toolkit

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in JWT & OAuth Toolkit →

The problem

Decoding a JWT shows its claims but proves nothing — anyone can craft a token. To trust it you must verify the signature with the right key and algorithm. Doing that locally lets you debug auth failures without sending a credential to a third-party site.

Sample input

Inputs
token:  eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyLTQyIn0.<signature>
alg:    HS256
secret: s3cr3t-signing-key

Expected output

Result
Signature: VALID (HS256)
Claims:    sub = user-42
Expiry:    no exp claim - token does not expire

A valid signature means the token was signed with that secret and not altered. For RS256/ES256 you supply the public key instead of a shared secret.

How to do it

  1. Paste the JWT.
  2. Select the signing algorithm.
  3. Provide the HMAC secret or the public key.
  4. Verify the signature.
  5. Check the claims and expiry once it is valid.

Common mistakes

  • Confusing decoding with verifying — decoding never checks the signature.
  • Using the wrong algorithm, such as HS256 against an RS256 token.
  • Supplying a shared secret when the token needs a public key.
  • Trusting claims before the signature is confirmed valid.
  • Ignoring the exp claim so an expired but valid-signed token is accepted.

Related tools

Related guides

FAQ

What is the difference between decoding and verifying a JWT?

Decoding reads the header and claims without checking authenticity. Verifying confirms the signature with the signing key, proving the token was issued by the holder of that key and not altered.

Which key do I use to verify?

For HMAC algorithms like HS256 you use the shared secret. For RSA or ECDSA algorithms like RS256 or ES256 you use the issuer's public key.

Why does verification fail with the right secret?

Often the algorithm is mismatched, the token was altered, or there is trailing whitespace in the secret. Confirm the alg in the header matches the key type you supplied.

Does a valid signature mean the token is still usable?

Not necessarily. A signature can be valid while the token is expired. Always check the exp claim in addition to the signature.

Is my token or key uploaded?

No. Verification runs locally in your browser. Neither the token nor the key is sent to a server.

JWT verification runs locally in your browser. Your token and key are never uploaded.

Explore more security and debugging tools

Verify and decode tokens, inspect certificates, redact secrets and sanitize captures — grouped in one place.

View the security & debugging toolkit →